chore(deps): update module github.com/docker/cli to v29 [security]#560

Merged

NumaryBot merged 1 commit into

mainfrom

renovate/go-github.com-docker-cli-vulnerability

Mar 6, 2026

Contributor

NumaryBot commented Mar 6, 2026

This PR contains the following updates:

Package	Type	Update	Change
github.com/docker/cli	indirect	major	`v28.0.4+incompatible` -> `v29.2.0+incompatible`

GitHub Vulnerability Alerts

CVE-2025-15558

This issue affects Docker CLI through 29.1.5

Impact

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.

This issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the github.com/docker/cli/cli-plugins/manager package, which is consumed by downstream projects such as Docker Compose.

Docker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see https://github.com/docker/compose/pull/12300), and is fixed in v5.1.0.

This issue does not impact non-Windows binaries or projects that do not use the plugin manager code.

Patches

Fixed version starts with 29.2.0

This issue was fixed in docker/cli@1375933 (https://github.com/docker/cli/pull/6713), which removed %PROGRAMDATA%\Docker\cli-plugins from the list of paths used for plugin-discovery on Windows.

Workarounds

None

Resources

Pull request: "cli-plugins/manager: remove legacy system-wide cli-plugin path" (https://github.com/docker/cli/pull/6713)
Patch: https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa.patch

Credits

Nitesh Surana (niteshsurana.com) of Trend Research of TrendAI

Release Notes

docker/cli (github.com/docker/cli)

`v29.2.0+incompatible`

`v29.1.5+incompatible`

`v29.1.4+incompatible`

`v29.1.3+incompatible`

`v29.1.2+incompatible`

`v29.1.1+incompatible`

`v29.1.0+incompatible`

`v29.0.4+incompatible`

`v29.0.3+incompatible`

`v29.0.2+incompatible`

`v29.0.1+incompatible`

`v29.0.0+incompatible`

`v28.5.2+incompatible`

`v28.5.1+incompatible`

`v28.5.0+incompatible`

`v28.4.0+incompatible`

`v28.3.3+incompatible`

`v28.3.2+incompatible`

`v28.3.1+incompatible`

`v28.3.0+incompatible`

`v28.2.2+incompatible`

`v28.2.1+incompatible`

`v28.2.0+incompatible`

`v28.1.1+incompatible`

`v28.1.0+incompatible`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.


          chore(deps): update module github.com/docker/cli to v29 [security]

b5ee037

NumaryBot requested a review from a team as a code owner

March 6, 2026 02:56

NumaryBot enabled auto-merge

March 6, 2026 02:56

coderabbitai Bot commented Mar 6, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

go.mod is excluded by !**/*.mod
go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b76127d6-8f16-434c-a233-de70d0713c59

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch renovate/go-github.com-docker-cli-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov Bot commented Mar 6, 2026 •

edited

Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.81%. Comparing base (c68259f) to head (b5ee037).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #560      +/-   ##
==========================================
+ Coverage   28.76%   28.81%   +0.04%     
==========================================
  Files         175      175              
  Lines        7063     7063              
==========================================
+ Hits         2032     2035       +3     
+ Misses       4913     4911       -2     
+ Partials      118      117       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

fguery approved these changes

View reviewed changes

NumaryBot added this pull request to the merge queue

Merged via the queue into main with commit bfe5cd1

7 checks passed

NumaryBot deleted the renovate/go-github.com-docker-cli-vulnerability branch

March 6, 2026 11:02

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet