Skip to content

chore(deps): bump the go-minor-patch group across 1 directory with 2 updates#68

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go-minor-patch-8bbbb99566
Open

chore(deps): bump the go-minor-patch group across 1 directory with 2 updates#68
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go-minor-patch-8bbbb99566

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 9, 2026
edited
Loading

Bumps the go-minor-patch group with 2 updates in the / directory: github.com/klauspost/compress and github.com/containerd/stargz-snapshotter/estargz.

Updates github.com/klauspost/compress from 1.18.3 to 1.18.4

Release notes

Sourced from github.com/klauspost/compress's releases.

v1.18.4

What's Changed

New Contributors

Full Changelog: klauspost/compress@v1.18.2...v1.18.4

Commits

Updates github.com/containerd/stargz-snapshotter/estargz from 0.18.1 to 0.18.2

Release notes

Sourced from github.com/containerd/stargz-snapshotter/estargz's releases.

v0.18.2

Notable Changes

  • Fixed restart failure when kubeconfig-based authentication is enabled (#2217)
  • Fixed the filesystem to display ".." and "." entries in directories (#2188)
  • Allowed asynchronous prefetch via configurable threshold (#2216), thanks to @​wswsmao
  • Allowed configuring the global request timeout duration (#2215), thanks to @​wswsmao
  • Allowed optionally adding log file access information on first access (#2205), thanks to @​wswsmao
  • Fixed ctr-remote's "-t" flag's not defined error when optimizing an image (#2186), thanks to @​bettermultiply
  • Fixed ctr-remote's "--reuse" flag being ignored when "--no-optimize" is set (#2206), thanks to @​wswsmao
  • Fixed passthrough mode to ensure closing fds (#2226), thanks to @​luochenglcs
  • Fixed incorrect variable assign in the estargz lib (#2222), thanks to @​bettermultiply
  • Fixed errors in k3s CI (#2207), thanks to @​wswsmao
Commits
  • 3070538 Merge pull request #2231 from ktock/prepare-v0.18.2
  • 3528ff6 Prepare for v0.18.2
  • 26b36ca Merge pull request #2233 from ktock/dockerifle202602
  • 812ba6c Dockerfile: bump up dependencies
  • 78a117d Merge pull request #2230 from containerd/dependabot/go_modules/gomod-79093de63b
  • 4c0f6a0 build(deps): bump the gomod group across 3 directories with 2 updates
  • ee524fe Merge pull request #2227 from containerd/dependabot/go_modules/gomod-a2c59b68ad
  • 4ba62f4 build(deps): bump github.com/sirupsen/logrus
  • b4360b7 Merge pull request #2226 from luochenglcs/fix
  • d6c57a3 Merge pull request #2205 from wswsmao/pathlog
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the go-minor-patch group across 1 directory with 2 …
5b78533 
…updates

Bumps the go-minor-patch group with 2 updates in the / directory: [github.com/klauspost/compress](https://github.com/klauspost/compress) and [github.com/containerd/stargz-snapshotter/estargz](https://github.com/containerd/stargz-snapshotter).


Updates `github.com/klauspost/compress` from 1.18.3 to 1.18.4
- [Release notes](https://github.com/klauspost/compress/releases)
- [Commits](klauspost/compress@v1.18.3...v1.18.4)

Updates `github.com/containerd/stargz-snapshotter/estargz` from 0.18.1 to 0.18.2
- [Release notes](https://github.com/containerd/stargz-snapshotter/releases)
- [Commits](containerd/stargz-snapshotter@v0.18.1...v0.18.2)

---
updated-dependencies:
- dependency-name: github.com/klauspost/compress
  dependency-version: 1.18.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: github.com/containerd/stargz-snapshotter/estargz
  dependency-version: 0.18.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 9, 2026
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 9, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 blob 5b78533 Commit Preview URL

Branch Preview URL		 Feb 09 2026, 10:13 AM

@kusari-inspector
Copy link

kusari-inspector bot commented Feb 9, 2026

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the dependency updates (klauspost/compress and containerd/stargz-snapshotter/estargz) are clean with zero vulnerabilities, the Go standard library v1.25.5 has three critical affected vulnerabilities that must be addressed first: two crypto/tls issues (CVE-2025-68121, CVE-2025-61730) that pose risks to encrypted communications, and one net/url memory exhaustion vulnerability (CVE-2025-61726) that could enable DoS attacks. Action required: Update Go to a patched version using 'go get -u' and 'go mod tidy', then verify with 'govulncheck'. Once the Go version is updated, this PR can proceed safely as the dependency changes themselves pose minimal risk.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Update the Go standard library version to address the three affected vulnerabilities. Run 'go get -u' and 'go mod tidy' to update to the latest patched version of Go that resolves GO-2026-4337 (CVE-2025-68121), GO-2026-4340 (CVE-2025-61730), and GO-2026-4341 (CVE-2025-61726). Verify with 'govulncheck' after updating.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 5b78533, performed at: 2026-02-09T10:13:50Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants