Skip to content

fix: Bump Go deps to fix CVEs#1303

Merged
howard-junec merged 1 commit into
aws:mainfrom
howard-junec:fix-controller-cve-deps
Jun 25, 2026
Merged

fix: Bump Go deps to fix CVEs#1303
howard-junec merged 1 commit into
aws:mainfrom
howard-junec:fix-controller-cve-deps

Conversation

@howard-junec

Copy link
Copy Markdown
Member

Issue #, if available:

N/A (CVE remediation)

Description of changes:

Bump Go dependencies to fix critical CVEs in package controller:

  • github.com/containerd/containerd v1.7.29 -> v1.7.32 (GO-2026-5378: runAsNonRoot bypass)
  • golang.org/x/crypto v0.51.0 -> v0.52.0 (CVE-2026-39830 through CVE-2026-46595)
  • google.golang.org/grpc v1.68.1 -> v1.79.3 (CVE-2026-33186: auth bypass)
  • generatebundlefile/go.mod tidied for compatibility

credential-provider-package already has x/net v0.55.0 (from #1292).

Will cherry-pick to release-0.24 and release-0.25 after merge.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

- containerd v1.7.29 -> v1.7.33 (GO-2026-5378 + GHSA-xhf5-7wjv-pqxp + GHSA-jpcc-p29g-p8mq)
- golang.org/x/crypto v0.51.0 -> v0.52.0 (CVE-2026-39830 to CVE-2026-46595)
- google.golang.org/grpc v1.68.1 -> v1.79.3 (CVE-2026-33186)
@howard-junec howard-junec force-pushed the fix-controller-cve-deps branch from 5667ee5 to cb55584 Compare June 25, 2026 21:36
@peirulu

peirulu commented Jun 25, 2026

Copy link
Copy Markdown
Member

/lgtm
/approve

@howard-junec howard-junec merged commit a81627e into aws:main Jun 25, 2026
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants