hashicorp · pkazmierczak · Apr 22, 2026 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026
@@ -29,13 +29,8 @@ binary {
   triage {
     suppress {
       vulnerabilities = [
-        "GO-2022-0635",        // github.com/aws/aws-sdk-go@v1.55.6 TODO(jrasell): remove when dep updated.
-        "GO-2025-3543",        // github.com/opencontainers/runc    TODO(jrasell): remove once withdrawn from DBs.
-        "GO-2025-3829",        // https://github.com/moby/moby/releases/tag/v28.3.3 TODO(tgross): remove once verified, updated or withdrawn https://pkg.go.dev/vuln/GO-2025-3829
-        "GO-2026-4887",        // github.com/docker/docker with no current fix.
-        "GO-2026-4883",        // github.com/docker/docker with no current fix.
-        "GHSA-x744-4wpc-v9h2", // github.com/docker/docker with no current fix.
-        "GHSA-pxq6-2prw-chj9", // github.com/docker/docker with no current fix.
+        "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.55.6 TODO(jrasell): remove when dep updated.
+        "GO-2025-3543", // github.com/opencontainers/runc    TODO(jrasell): remove once withdrawn from DBs.
       ]
     }
   }

diff --git a/.semgrep/mpl_busl.yml b/.semgrep/mpl_busl.yml
@@ -40,6 +40,7 @@ rules:
             - pattern-not: "helper/pluginutils/grpcutils..."
             - pattern-not: "helper/pluginutils/hclspecutils..."
             - pattern-not: "helper/pointer..."
+            - pattern-not: "helper/resolvconf..."
             - pattern-not: "helper/testlog..."
             - pattern-not: "helper/uuid..."
             - pattern-not: "jobspec..."

@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"testing"
 
-	docker "github.com/docker/docker/client"
 	"github.com/hashicorp/nomad/testutil"
+	docker "github.com/moby/moby/client"
 )
 
 // DockerIsConnected checks to see if a docker daemon is available (local or remote)

@@ -16,7 +16,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/docker/pkg/ioutils"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-msgpack/v2/codec"
 	"github.com/hashicorp/nomad/acl"
@@ -28,6 +27,7 @@ import (
 	"github.com/hashicorp/nomad/nomad"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/serf/serf"
+	"github.com/moby/moby/v2/pkg/ioutils"
 )
 
 type Member struct {

@@ -15,9 +15,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/docker/pkg/ioutils"
 	"github.com/hashicorp/go-msgpack/v2/codec"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/moby/moby/v2/pkg/ioutils"
 	"golang.org/x/sync/errgroup"
 )
 

@@ -13,10 +13,10 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/docker/pkg/ioutils"
 	"github.com/hashicorp/go-msgpack/v2/codec"
 	cstructs "github.com/hashicorp/nomad/client/structs"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/moby/moby/v2/pkg/ioutils"
 )
 
 var (

@@ -12,8 +12,6 @@ import (
 	"strings"
 	"time"
 
-	containerapi "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/mount"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/drivers/shared/capabilities"
 	"github.com/hashicorp/nomad/helper/pluginutils/hclutils"
@@ -22,6 +20,8 @@ import (
 	"github.com/hashicorp/nomad/plugins/drivers"
 	"github.com/hashicorp/nomad/plugins/drivers/fsisolation"
 	"github.com/hashicorp/nomad/plugins/shared/hclspec"
+	containerapi "github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/mount"
 )
 
 const (

@@ -13,11 +13,10 @@ import (
 	"time"
 
 	"github.com/containerd/errdefs"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/registry"
 	hclog "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/moby/moby/api/types/registry"
+	mclient "github.com/moby/moby/client"
 )
 
 var (
@@ -72,9 +71,9 @@ func (p *pullFuture) set(imageID, imageUser string, err error) {
 // DockerImageClient provides the methods required to do CRUD operations on the
 // Docker images
 type DockerImageClient interface {
-	ImagePull(ctx context.Context, refStr string, opts image.PullOptions) (io.ReadCloser, error)
-	ImageInspectWithRaw(ctx context.Context, id string) (types.ImageInspect, []byte, error)
-	ImageRemove(ctx context.Context, id string, opts image.RemoveOptions) ([]image.DeleteResponse, error)
+	ImagePull(ctx context.Context, refStr string, opts mclient.ImagePullOptions) (mclient.ImagePullResponse, error)
+	ImageInspect(ctx context.Context, id string, inspectOpts ...mclient.ImageInspectOption) (mclient.ImageInspectResult, error)
+	ImageRemove(ctx context.Context, id string, opts mclient.ImageRemoveOptions) (mclient.ImageRemoveResult, error)
 }
 
 // LogEventFn is a callback which allows Drivers to emit task events.
@@ -205,7 +204,7 @@ func (d *dockerCoordinator) pullImageImpl(imageID string, authOptions *registry.
 		auth = *authOptions
 	}
 
-	pullOptions := image.PullOptions{RegistryAuth: auth.Auth}
+	pullOptions := mclient.ImagePullOptions{RegistryAuth: auth.Auth}
 	reader, err := d.client.ImagePull(pullCtx, dockerImageRef(repo, tag), pullOptions)
 
 	if errors.Is(err, context.DeadlineExceeded) {
@@ -230,7 +229,7 @@ func (d *dockerCoordinator) pullImageImpl(imageID string, authOptions *registry.
 
 	d.logger.Debug("docker pull succeeded", "image_ref", dockerImageRef(repo, tag))
 
-	dockerImage, _, err := d.client.ImageInspectWithRaw(d.ctx, imageID)
+	dockerImage, err := d.client.ImageInspect(d.ctx, imageID)
 	if err != nil {
 		d.logger.Error("failed getting image id", "image_name", imageID, "error", err)
 		return "", "", recoverableErrTimeouts(err)
@@ -344,7 +343,7 @@ func (d *dockerCoordinator) removeImageImpl(id string, ctx context.Context) {
 	d.imageLock.Unlock()
 
 	for i := 0; i < 3; i++ {
-		_, err := d.client.ImageRemove(d.ctx, id, image.RemoveOptions{
+		_, err := d.client.ImageRemove(d.ctx, id, mclient.ImageRemoveOptions{
 			Force: true, // necessary to GC images referenced by multiple tags
 		})
 		if err == nil {

@@ -7,17 +7,18 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
+	"iter"
 	"sync"
 	"testing"
 	"time"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/image"
 	"github.com/hashicorp/nomad/ci"
 	"github.com/hashicorp/nomad/helper/testlog"
 	"github.com/hashicorp/nomad/helper/uuid"
 	"github.com/hashicorp/nomad/testutil"
+	"github.com/moby/moby/api/types/image"
+	"github.com/moby/moby/api/types/jsonstream"
+	mclient "github.com/moby/moby/client"
 	"github.com/shoenig/test/must"
 	"github.com/stretchr/testify/require"
 )
@@ -27,7 +28,7 @@ type mockImageClient struct {
 	idToName   map[string]string
 	removed    map[string]int
 	pullDelay  time.Duration
-	pullReader io.ReadCloser
+	pullReader mclient.ImagePullResponse
 	lock       sync.Mutex
 }
 
@@ -40,7 +41,7 @@ func newMockImageClient(idToName map[string]string, pullDelay time.Duration) *mo
 	}
 }
 
-func (m *mockImageClient) ImagePull(ctx context.Context, refStr string, opts image.PullOptions) (io.ReadCloser, error) {
+func (m *mockImageClient) ImagePull(ctx context.Context, refStr string, opts mclient.ImagePullOptions) (mclient.ImagePullResponse, error) {
 	select {
 	case <-ctx.Done():
 		return nil, fmt.Errorf("mockImageClient.ImagePull aborted: %w", ctx.Err())
@@ -52,27 +53,29 @@ func (m *mockImageClient) ImagePull(ctx context.Context, refStr string, opts ima
 	return m.pullReader, nil
 }
 
-func (m *mockImageClient) ImageInspectWithRaw(ctx context.Context, id string) (types.ImageInspect, []byte, error) {
+func (m *mockImageClient) ImageInspect(ctx context.Context, id string, inspectOpts ...mclient.ImageInspectOption) (mclient.ImageInspectResult, error) {
 	m.lock.Lock()
 	defer m.lock.Unlock()
-	return types.ImageInspect{
-		ID: m.idToName[id],
-	}, []byte{}, nil
+	return mclient.ImageInspectResult{
+		InspectResponse: image.InspectResponse{
+			ID: m.idToName[id],
+		},
+	}, nil
 }
 
-func (m *mockImageClient) ImageRemove(ctx context.Context, id string, opts image.RemoveOptions) ([]image.DeleteResponse, error) {
+func (m *mockImageClient) ImageRemove(ctx context.Context, id string, opts mclient.ImageRemoveOptions) (mclient.ImageRemoveResult, error) {
 	m.lock.Lock()
 	defer m.lock.Unlock()
 	m.removed[id]++
-	return []image.DeleteResponse{}, nil
+	return mclient.ImageRemoveResult{}, nil
 }
 
 type readErrorer struct {
 	readErr    error
 	closeError error
 }
 
-var _ io.ReadCloser = &readErrorer{}
+var _ mclient.ImagePullResponse = &readErrorer{}
 
 func (r *readErrorer) Read(p []byte) (n int, err error) {
 	return len(p), r.readErr
@@ -82,6 +85,14 @@ func (r *readErrorer) Close() error {
 	return r.closeError
 }
 
+func (r *readErrorer) JSONMessages(ctx context.Context) iter.Seq2[jsonstream.Message, error] {
+	return func(yield func(jsonstream.Message, error) bool) {}
+}
+
+func (r *readErrorer) Wait(ctx context.Context) error {
+	return nil
+}
+
 func TestDockerCoordinator_ConcurrentPulls(t *testing.T) {
 	ci.Parallel(t)
 	image := "foo"

@@ -13,11 +13,11 @@ import (
 	"time"
 
 	"github.com/containerd/errdefs"
-	containerapi "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/client"
+	mclient "github.com/moby/moby/client"
 
 	"github.com/hashicorp/nomad/client/lib/fifo"
 )
@@ -96,7 +96,7 @@ func (d *dockerLogger) Start(opts *StartOpts) error {
 		backoff := 0.0
 
 		for {
-			logOpts := containerapi.LogsOptions{
+			logOpts := mclient.ContainerLogsOptions{
 				Since:      sinceTime.Format(time.RFC3339),
 				Follow:     true,
 				ShowStdout: true,
@@ -134,12 +134,12 @@ func (d *dockerLogger) Start(opts *StartOpts) error {
 
 			sinceTime = time.Now()
 
-			container, err := client.ContainerInspect(ctx, opts.ContainerID)
+			container, err := client.ContainerInspect(ctx, opts.ContainerID, mclient.ContainerInspectOptions{})
 			if err != nil {
 				if !errdefs.IsNotFound(err) {
 					return
 				}
-			} else if !container.State.Running {
+			} else if !container.Container.State.Running {
 				return
 			}
 		}
@@ -223,27 +223,23 @@ func (d *dockerLogger) getDockerClient(opts *StartOpts) (*client.Client, error)
 	if opts.Endpoint != "" {
 		if opts.TLSCert+opts.TLSKey+opts.TLSCA != "" {
 			d.logger.Debug("using TLS client connection to docker", "endpoint", opts.Endpoint)
-			newClient, err = client.NewClientWithOpts(
+			newClient, err = client.New(
 				client.WithHost(opts.Endpoint),
 				client.WithTLSClientConfig(opts.TLSCA, opts.TLSCert, opts.TLSKey),
-				client.WithAPIVersionNegotiation(),
 			)
 			if err != nil {
 				merr.Errors = append(merr.Errors, err)
 			}
 		} else {
 			d.logger.Debug("using plaintext client connection to docker", "endpoint", opts.Endpoint)
-			newClient, err = client.NewClientWithOpts(
-				client.WithHost(opts.Endpoint),
-				client.WithAPIVersionNegotiation(),
-			)
+			newClient, err = client.New(client.WithHost(opts.Endpoint))
 			if err != nil {
 				merr.Errors = append(merr.Errors, err)
 			}
 		}
 	} else {
 		d.logger.Debug("using client connection initialized from environment")
-		newClient, err = client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+		newClient, err = client.New(client.FromEnv)
 		if err != nil {
 			merr.Errors = append(merr.Errors, err)
 		}