Add support for Linux memory policy #1282
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
askervin
requested review from
AkihiroSuda,
crosbymichael,
cyphar,
dqminh,
giuseppe,
hqhq,
kolyshkin,
mrunalp,
thaJeztah,
tianon and
utam0k
as code owners
AkihiroSuda
reviewed
Mar 27, 2025
Contributor
|
Small nit, I'd suggest to use |
Member
|
LGTM after the changes suggested above |
askervin
force-pushed
the
5aD-oci-mempolicy
branch
from
be4b9f4 to
ee377f1
Compare
Contributor
Author
Thanks @kad, fixed. Definitely better. |
askervin
force-pushed
the
5aD-oci-mempolicy
branch
from
ee377f1 to
68936b6
Compare
utam0k
reviewed
Apr 1, 2025
Member
There was a problem hiding this comment.
It seems set_mempolicy(2) is only effective agains for called threads. I'm not sure how to do it for processes created with exec. Any ideas?
set_mempolicy() sets the NUMA memory policy of the calling thread,
which consists of a policy mode and zero or more nodes, to the
values specified by the mode, nodemask, and maxnode arguments.
The behavior of several other system calls is the same, so it might be a good idea to define their behavior as well.
Member
I'm not sure but we may need to implement it in nsexec.c of runc because of the thread limitation. I recommend to implement PoC in runc. |
Member
the man page says: so I don't think it is a problem for the spec |
Member
|
@giuseppe Oh, I missed it. Looks good. |
AkihiroSuda
approved these changes
Apr 8, 2025
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Apr 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 TODO: - remove the replace from go.mod when OCI spec is merged Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
13 tasks
cyphar
reviewed
Sep 3, 2025
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 4, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 4, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 4, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 16, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 17, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 17, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 22, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 25, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 29, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 29, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Sep 29, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
askervin
added a commit
to askervin/runc
that referenced
this pull request
Oct 7, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
cyphar
pushed a commit
to cyphar/runc
that referenced
this pull request
Oct 7, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com> (cherry picked from commit eda7bdf) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
pushed a commit
to cyphar/runc
that referenced
this pull request
Oct 7, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com> (cherry picked from commit eda7bdf) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
pushed a commit
to cyphar/runc
that referenced
this pull request
Oct 8, 2025
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com> (cherry picked from commit eda7bdf) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Lazar955
added a commit
to babylonlabs-io/vigilante
that referenced
this pull request
Dec 15, 2025
…tes (#506) Bumps the go_modules group with 9 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/babylonlabs-io/babylon/v4](https://github.com/babylonlabs-io/babylon) | `4.0.0` | `4.2.0` | | [github.com/docker/docker](https://github.com/docker/docker) | `25.0.6+incompatible` | `25.0.13+incompatible` | | [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `2.2.1` | `2.4.0` | | [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) | `4.5.1` | `4.5.2` | | [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) | `1.7.8` | `1.7.9` | | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.3.1` | `5.5.4` | | [github.com/opencontainers/runc](https://github.com/opencontainers/runc) | `1.1.14` | `1.2.8` | | [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) | `0.5.11` | `0.5.14` | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.41.0` | `0.45.0` | Updates `github.com/babylonlabs-io/babylon/v4` from 4.0.0 to 4.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babylonlabs-io/babylon/releases">github.com/babylonlabs-io/babylon/v4's releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <h1>🚀 Overview</h1> <p>Version v4.2.0</p> <h1>📄 Changelog</h1> <p>You can view the complete changelog <a href="https://github.com/babylonlabs-io/babylon/blob/e65c3a55a398a403103f1b089cf76f0d4befc7a0/CHANGELOG.md#L40">here</a></p> <h1>🏗️ Binaries</h1> <p>If you prefer to build from source, use the following commands:</p> <pre lang="sh"><code>git clone https://github.com/babylonlabs-io/babylon.git cd babylon git checkout v4.2.0 # Only use the below command for mainnet make build # Only use the below command for testnet BABYLON_BUILD_OPTIONS="testnet" make build <p></code></pre></p> <h1>🐳 Docker Image</h1> <table> <thead> <tr> <th>Image</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>babylonlabs/babylond:v4.2.0</td> <td>Mainnet image</td> </tr> <tr> <td>babylonlabs/babylond:v4.2.0-testnet</td> <td>Testnet image</td> </tr> </tbody> </table> <h2>v4.1.0</h2> <h2>What's Changed</h2> <ul> <li>fix(vote-ext): add unkown fields check (backport GHSA-2fcv-qww3-9v6h) by <a href="https://github.com/GAtom22"><code>@GAtom22</code></a> in <a href="https://redirect.github.com/babylonlabs-io/babylon/pull/1873">babylonlabs-io/babylon#1873</a></li> <li>crypto: ensure BIP-322 signatures are using SIGHASH_ALL or SIGHASH_DEFAULT by <a href="https://github.com/SebastianElvis"><code>@SebastianElvis</code></a> in <a href="https://github.com/babylonlabs-io/babylon/tree/6e8bdd328a47343fcd7ad98d1b0c7267860b019a">https://github.com/babylonlabs-io/babylon/tree/6e8bdd328a47343fcd7ad98d1b0c7267860b019a</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/babylonlabs-io/babylon/compare/v4.0.0...v4.1.0">https://github.com/babylonlabs-io/babylon/compare/v4.0.0...v4.1.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/babylonlabs-io/babylon/blob/v4.2.0/CHANGELOG.md">github.com/babylonlabs-io/babylon/v4's changelog</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <h3>Bug Fixes</h3> <ul> <li><a href="https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-m6wq-66p2-c8pc">GHSA-m6wq-66p2-c8pc</a> fix: nil check of block hash in vote extension</li> <li><a href="https://redirect.github.com/babylonlabs-io/babylon-ghsa-4rmq-mc2c-r495/pull/1">GHSA-4rmq-mc2c-r495</a> Fix conditional logic in <code>AfterBtcDelegationUnbonded</code> hook</li> </ul> <h2>v4.1.0</h2> <h3>Bug fixes</h3> <ul> <li><a href="https://redirect.github.com/babylonlabs-io/babylon-ghsa-2fcv-qww3-9v6h/pull/1">GHSA-2fcv-qww3-9v6h</a> Add unkown fields check on vote extension validation</li> <li><a href="https://redirect.github.com/babylonlabs-io/babylon-ghsa-xq4h-wqm2-668w/pull/2">GHSA-xq4h-wqm2-668w</a> crypto: ensure BIP-322 signatures are using <code>SIGHASH_ALL</code> or <code>SIGHASH_DEFAULT</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babylonlabs-io/babylon/commit/e65c3a55a398a403103f1b089cf76f0d4befc7a0"><code>e65c3a5</code></a> chore: backport sec adv costk (<a href="https://redirect.github.com/babylonlabs-io/babylon/issues/1890">#1890</a>)</li> <li><a href="https://github.com/babylonlabs-io/babylon/commit/f79ad58c1d5bcab3451cb7a47c91e713935917d7"><code>f79ad58</code></a> chore: backport sec adv blk (<a href="https://redirect.github.com/babylonlabs-io/babylon/issues/1889">#1889</a>)</li> <li><a href="https://github.com/babylonlabs-io/babylon/commit/0b17a7f2dbf1c240b4b3d28889f6ce81de152457"><code>0b17a7f</code></a> Bump reusable workflows version (<a href="https://redirect.github.com/babylonlabs-io/babylon/issues/1859">#1859</a>) (<a href="https://redirect.github.com/babylonlabs-io/babylon/issues/1872">#1872</a>)</li> <li><a href="https://github.com/babylonlabs-io/babylon/commit/6e8bdd328a47343fcd7ad98d1b0c7267860b019a"><code>6e8bdd3</code></a> Merge commit from fork</li> <li><a href="https://github.com/babylonlabs-io/babylon/commit/fd0e8fafdbbef660e0d5d91fd495c0375b291251"><code>fd0e8fa</code></a> fix(vote-ext): add unkown fields check (backport GHSA-2fcv-qww3-9v6h) (<a href="https://redirect.github.com/babylonlabs-io/babylon/issues/1873">#1873</a>)</li> <li>See full diff in <a href="https://github.com/babylonlabs-io/babylon/compare/v4.0.0...v4.2.0">compare view</a></li> </ul> </details> <br /> Updates `github.com/docker/docker` from 25.0.6+incompatible to 25.0.13+incompatible <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v25.0.13</h2> <h2>25.0.13</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:</p> <ul> <li><a href="https://github.com/moby/moby/milestone/207?closed=1">moby/moby, 25.0.13 milestone</a></li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.13/docs/api/version-history.md">API version history</a>.</li> </ul> <h2>Bug fixes and enhancements</h2> <ul> <li>Prevent restoration of iptables rules for deleted networks and containers on firewalld reload. <a href="https://redirect.github.com/moby/moby/pull/50445">moby/moby#50445</a></li> <li>Fix Swarm services becoming unreachable from published ports after a firewalld reload. <a href="https://redirect.github.com/moby/moby/pull/50445">moby/moby#50445</a></li> <li>Improve the reliability of the Swarm overlay network control plane by fixing longstanding issues with NetworkDB. <a href="https://redirect.github.com/moby/moby/pull/50511">moby/moby#50511</a></li> <li>Improve the reliability of Swarm overlay container networks by fixing longstanding issues with the overlay network driver. <a href="https://redirect.github.com/moby/moby/pull/50551">moby/moby#50551</a></li> </ul> <h2>v25.0.12</h2> <h2>25.0.12</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:</p> <ul> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.12">moby/moby, 25.0.12 milestone</a></li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.12/docs/api/version-history.md">API version history</a>.</li> </ul> <h2>Bug fixes and enhancements</h2> <ul> <li>Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. <a href="https://redirect.github.com/moby/moby/pull/50203">moby/moby#50203</a></li> <li>Fix an issue which made DNS service discovery for Swarm services unreliable. <a href="https://redirect.github.com/moby/moby/pull/50230">moby/moby#50230</a></li> </ul> <h2>Packaging updates</h2> <ul> <li>Update Go toolchain to go1.23.9. <a href="https://redirect.github.com/moby/moby/pull/50053">moby/moby#50053</a></li> </ul> <h2>v25.0.11</h2> <h2>25.0.11</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:</p> <ul> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.11">moby/moby, 25.0.11 milestone</a></li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.11/docs/api/version-history.md">API version history</a>.</li> </ul> <h2>Networking</h2> <ul> <li>[25.0] Backport network fixes by <a href="https://github.com/dperny"><code>@dperny</code></a> in <a href="https://redirect.github.com/moby/moby/pull/50005">moby/moby#50005</a></li> </ul> <h2>Known Issues</h2> <ul> <li>Some Swarm services are not discoverable over DNS <a href="https://redirect.github.com/moby/moby/issues/50129">moby/moby#50129</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/moby/moby/compare/v25.0.10...v25.0.11">https://github.com/moby/moby/compare/v25.0.10...v25.0.11</a></p> <h2>v25.0.10</h2> <h2>25.0.10</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moby/moby/commit/165516eb478021fdc99976e5aadc26bf73c1e51b"><code>165516e</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50551">#50551</a> from corhere/backport-25.0/libn/all-the-overlay-fixes</li> <li><a href="https://github.com/moby/moby/commit/f099e911bd99581bb0f6c0802cc5c10081c457b4"><code>f099e91</code></a> libnetwork: handle coalesced endpoint events</li> <li><a href="https://github.com/moby/moby/commit/bace1b8a3bf33718a6c2d387cc7a9841f0b87b99"><code>bace1b8</code></a> libnetwork/d/overlay: handle coalesced peer updates</li> <li><a href="https://github.com/moby/moby/commit/f9e54290b54fe990110341cc2a985e245d3a05d2"><code>f9e5429</code></a> libn/d/win/overlay: dedupe NetworkDB definitions</li> <li><a href="https://github.com/moby/moby/commit/fc3df5523007c1a96e194a4146aea5f49bb58c01"><code>fc3df55</code></a> libn/d/overlay: extract hashable address types</li> <li><a href="https://github.com/moby/moby/commit/b22872af606cbea4fafd4f47fbcf61fdba274a04"><code>b22872a</code></a> libnetwork/driverapi: make EventNotify optional</li> <li><a href="https://github.com/moby/moby/commit/c7e17ae65d89e9441c6ec461bfeb75bad90cd338"><code>c7e17ae</code></a> libn/networkdb: report prev value in update events</li> <li><a href="https://github.com/moby/moby/commit/d60c71a9d7b28adfd29464148ffc0f4ed7d598f9"><code>d60c71a</code></a> libnetwork/d/overlay: fix logical race conditions</li> <li><a href="https://github.com/moby/moby/commit/ad54b8f9ce80e611e505046e8363b27338005a6c"><code>ad54b8f</code></a> libn/d/overlay: fix encryption race conditions</li> <li><a href="https://github.com/moby/moby/commit/8075689abd554f17bafad09f51869ae6bf4f4987"><code>8075689</code></a> libn/d/overlay: inline secMapWalk into only caller</li> <li>Additional commits viewable in <a href="https://github.com/docker/docker/compare/v25.0.6...v25.0.13">compare view</a></li> </ul> </details> <br /> Updates `github.com/go-viper/mapstructure/v2` from 2.2.1 to 2.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-viper/mapstructure/releases">github.com/go-viper/mapstructure/v2's releases</a>.</em></p> <blockquote> <h2>v2.4.0</h2> <h2>What's Changed</h2> <ul> <li>refactor: replace interface{} with any by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/115">go-viper/mapstructure#115</a></li> <li>build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/go-viper/mapstructure/pull/114">go-viper/mapstructure#114</a></li> <li>Generic tests by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/118">go-viper/mapstructure#118</a></li> <li>Fix godoc reference link in README.md by <a href="https://github.com/peczenyj"><code>@peczenyj</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/107">go-viper/mapstructure#107</a></li> <li>feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by <a href="https://github.com/ErfanMomeniii"><code>@ErfanMomeniii</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/117">go-viper/mapstructure#117</a></li> <li>feat: add back previous StringToSlice as a weak function by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/119">go-viper/mapstructure#119</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ErfanMomeniii"><code>@ErfanMomeniii</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/117">go-viper/mapstructure#117</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0">https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0</a></p> <h2>v2.3.0</h2> <h2>What's Changed</h2> <ul> <li>build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/46">go-viper/mapstructure#46</a></li> <li>build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/47">go-viper/mapstructure#47</a></li> <li>[enhancement] Add check for <code>reflect.Value</code> in <code>ComposeDecodeHookFunc</code> by <a href="https://github.com/mahadzaryab1"><code>@mahadzaryab1</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/52">go-viper/mapstructure#52</a></li> <li>build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/51">go-viper/mapstructure#51</a></li> <li>build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/50">go-viper/mapstructure#50</a></li> <li>build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/55">go-viper/mapstructure#55</a></li> <li>build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/58">go-viper/mapstructure#58</a></li> <li>ci: add Go 1.24 to the test matrix by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/74">go-viper/mapstructure#74</a></li> <li>build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/72">go-viper/mapstructure#72</a></li> <li>build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/76">go-viper/mapstructure#76</a></li> <li>build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/78">go-viper/mapstructure#78</a></li> <li>feat: add decode hook for netip.Prefix by <a href="https://github.com/tklauser"><code>@tklauser</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/85">go-viper/mapstructure#85</a></li> <li>Updates by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/86">go-viper/mapstructure#86</a></li> <li>build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/87">go-viper/mapstructure#87</a></li> <li>build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/93">go-viper/mapstructure#93</a></li> <li>build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/92">go-viper/mapstructure#92</a></li> <li>build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/97">go-viper/mapstructure#97</a></li> <li>build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/96">go-viper/mapstructure#96</a></li> <li>Update README.md by <a href="https://github.com/peczenyj"><code>@peczenyj</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/90">go-viper/mapstructure#90</a></li> <li>Add omitzero tag. by <a href="https://github.com/Crystalix007"><code>@Crystalix007</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/98">go-viper/mapstructure#98</a></li> <li>Use error structs instead of duplicated strings by <a href="https://github.com/m1k1o"><code>@m1k1o</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/102">go-viper/mapstructure#102</a></li> <li>build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/101">go-viper/mapstructure#101</a></li> <li>feat: add common error interface by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/105">go-viper/mapstructure#105</a></li> <li>update linter by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/106">go-viper/mapstructure#106</a></li> <li>Feature allow unset pointer by <a href="https://github.com/rostislaved"><code>@rostislaved</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/80">go-viper/mapstructure#80</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/tklauser"><code>@tklauser</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/85">go-viper/mapstructure#85</a></li> <li><a href="https://github.com/peczenyj"><code>@peczenyj</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/90">go-viper/mapstructure#90</a></li> <li><a href="https://github.com/Crystalix007"><code>@Crystalix007</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/98">go-viper/mapstructure#98</a></li> <li><a href="https://github.com/rostislaved"><code>@rostislaved</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/80">go-viper/mapstructure#80</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0">https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-viper/mapstructure/commit/b9794a5f0e73d425210d6614ed833067029155f5"><code>b9794a5</code></a> Merge pull request <a href="https://redirect.github.com/go-viper/mapstructure/issues/119">#119</a> from go-viper/string-to-weak-slice</li> <li><a href="https://github.com/go-viper/mapstructure/commit/17cdcb0741054e2a33938adf6bd1f2a5c0aa8f30"><code>17cdcb0</code></a> feat: add back previous StringToSlice as a weak function</li> <li><a href="https://github.com/go-viper/mapstructure/commit/3caca3614c3ab2c5b5d359c44fdcd72058887b19"><code>3caca36</code></a> Merge pull request <a href="https://redirect.github.com/go-viper/mapstructure/issues/117">#117</a> from ErfanMomeniii/main</li> <li><a href="https://github.com/go-viper/mapstructure/commit/9a861bc115f2b54ed4e494662f29c172d9ef046a"><code>9a861bc</code></a> Merge pull request <a href="https://redirect.github.com/go-viper/mapstructure/issues/107">#107</a> from peczenyj/patch-2</li> <li><a href="https://github.com/go-viper/mapstructure/commit/86ed5b59da0615fb8c3a413f401cdf0231f1234c"><code>86ed5b5</code></a> refactor: update</li> <li><a href="https://github.com/go-viper/mapstructure/commit/ace5b4e8b3dec99468ffa9498e42fb09d177b0a6"><code>ace5b4e</code></a> chore: add interface any linter</li> <li><a href="https://github.com/go-viper/mapstructure/commit/1a4f1aef38bfa8549762aaf42c7c18a5d268e76e"><code>1a4f1ae</code></a> Merge pull request <a href="https://redirect.github.com/go-viper/mapstructure/issues/118">#118</a> from go-viper/generic-tests</li> <li><a href="https://github.com/go-viper/mapstructure/commit/a2689090ed4348033c36724d866faf1f911a9f63"><code>a268909</code></a> fix: lint</li> <li><a href="https://github.com/go-viper/mapstructure/commit/17f1fd44eb7606b109c9bb017c0a1c6d3e93b5cd"><code>17f1fd4</code></a> test: add more comments</li> <li><a href="https://github.com/go-viper/mapstructure/commit/b48c8566836bf291bfee2b217d51fc36e8e61f6f"><code>b48c856</code></a> test: expand tests</li> <li>Additional commits viewable in <a href="https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.4.0">compare view</a></li> </ul> </details> <br /> Updates `github.com/golang-jwt/jwt/v4` from 4.5.1 to 4.5.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt/v4's releases</a>.</em></p> <blockquote> <h2>v4.5.2</h2> <p>See <a href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp">https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp</a></p> <p><strong>Full Changelog</strong>: <a href="https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2">https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84"><code>2f0e9ad</code></a> Backporting 0951d18 to v4</li> <li>See full diff in <a href="https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2">compare view</a></li> </ul> </details> <br /> Updates `github.com/hashicorp/go-getter` from 1.7.8 to 1.7.9 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/go-getter/releases">github.com/hashicorp/go-getter's releases</a>.</em></p> <blockquote> <h2>v1.7.9</h2> <h2>What's Changed</h2> <ul> <li>Speed up XZ decompression by 5x with bufio wrapper by <a href="https://github.com/vsarunas"><code>@vsarunas</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/520">hashicorp/go-getter#520</a></li> <li>Fix CI Workflow by <a href="https://github.com/mohanmanikanta2299"><code>@mohanmanikanta2299</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/522">hashicorp/go-getter#522</a></li> <li>test: Remove use of "mitchellh/go-testing-interface" for stdlib by <a href="https://github.com/jrasell"><code>@jrasell</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/523">hashicorp/go-getter#523</a></li> <li>fix: url redact of multiple sshkey by <a href="https://github.com/dduzgun-security"><code>@dduzgun-security</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/528">hashicorp/go-getter#528</a></li> <li>Publish arm binaries by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/525">hashicorp/go-getter#525</a></li> <li>fix errcheck lint errors and run it as part of pr checks by <a href="https://github.com/abhijeetviswa"><code>@abhijeetviswa</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/530">hashicorp/go-getter#530</a></li> <li>fix additional lint errors and increase linter scope by <a href="https://github.com/abhijeetviswa"><code>@abhijeetviswa</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/531">hashicorp/go-getter#531</a></li> <li>IND-3728 enabling dependabot by <a href="https://github.com/KaushikiAnand"><code>@KaushikiAnand</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/529">hashicorp/go-getter#529</a></li> <li>fix: go-getter subdir paths by <a href="https://github.com/dduzgun-security"><code>@dduzgun-security</code></a> in <a href="https://redirect.github.com/hashicorp/go-getter/pull/540">hashicorp/go-getter#540</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/vsarunas"><code>@vsarunas</code></a> made their first contribution in <a href="https://redirect.github.com/hashicorp/go-getter/pull/520">hashicorp/go-getter#520</a></li> <li><a href="https://github.com/jrasell"><code>@jrasell</code></a> made their first contribution in <a href="https://redirect.github.com/hashicorp/go-getter/pull/523">hashicorp/go-getter#523</a></li> <li><a href="https://github.com/sethvargo"><code>@sethvargo</code></a> made their first contribution in <a href="https://redirect.github.com/hashicorp/go-getter/pull/525">hashicorp/go-getter#525</a></li> <li><a href="https://github.com/abhijeetviswa"><code>@abhijeetviswa</code></a> made their first contribution in <a href="https://redirect.github.com/hashicorp/go-getter/pull/530">hashicorp/go-getter#530</a></li> <li><a href="https://github.com/KaushikiAnand"><code>@KaushikiAnand</code></a> made their first contribution in <a href="https://redirect.github.com/hashicorp/go-getter/pull/529">hashicorp/go-getter#529</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/hashicorp/go-getter/compare/v1.7.8...v1.7.9">https://github.com/hashicorp/go-getter/compare/v1.7.8...v1.7.9</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hashicorp/go-getter/commit/e70221100018573cdc74411c95c19b2a372f6728"><code>e702211</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-getter/issues/532">#532</a> from hashicorp/dependabot/github_actions/actions-8948...</li> <li><a href="https://github.com/hashicorp/go-getter/commit/df0a14fa67f2921eabff8fbdb51445ac03daeb87"><code>df0a14f</code></a> [chore] : Bump the actions group with 8 updates</li> <li><a href="https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b7"><code>87541b2</code></a> fix: go-getter subdir paths (<a href="https://redirect.github.com/hashicorp/go-getter/issues/540">#540</a>)</li> <li><a href="https://github.com/hashicorp/go-getter/commit/37130302313c9294df898ac96e2565a65369ec68"><code>3713030</code></a> [Compliance] - PR Template Changes Required</li> <li><a href="https://github.com/hashicorp/go-getter/commit/af2dd3ca2764281bf6b7468e05028a8b114c63a7"><code>af2dd3c</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-getter/issues/529">#529</a> from hashicorp/dependabot-intge</li> <li><a href="https://github.com/hashicorp/go-getter/commit/bf526297fa4cd429fcf31da9e4a6bf6a0b512026"><code>bf52629</code></a> updating dependabot.yml</li> <li><a href="https://github.com/hashicorp/go-getter/commit/1f63e10d3b421544473bf52103b41eb423e2c897"><code>1f63e10</code></a> changelog added, updated dependabot.yaml</li> <li><a href="https://github.com/hashicorp/go-getter/commit/45af45918c6958be58f87d1576ac4a0b32f7eb4b"><code>45af459</code></a> fix additional lint errors and increase linter scope</li> <li><a href="https://github.com/hashicorp/go-getter/commit/c8c6aba0f7ad4e3937ef7cfcb50627520e498252"><code>c8c6aba</code></a> fix errcheck lint errors and run it as part of pr checks</li> <li><a href="https://github.com/hashicorp/go-getter/commit/9b76f983e594375fdef9e231822c805c82ec9ed7"><code>9b76f98</code></a> copywrite header added</li> <li>Additional commits viewable in <a href="https://github.com/hashicorp/go-getter/compare/v1.7.8...v1.7.9">compare view</a></li> </ul> </details> <br /> Updates `github.com/jackc/pgx/v5` from 5.3.1 to 5.5.4 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jackc/pgx/blob/master/CHANGELOG.md">github.com/jackc/pgx/v5's changelog</a>.</em></p> <blockquote> <h1>5.5.4 (March 4, 2024)</h1> <p>Fix CVE-2024-27304</p> <p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p> <p>Thanks to Paul Gerste for reporting this issue.</p> <ul> <li>Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)</li> <li>Fix simple protocol encoding of json.RawMessage</li> <li>Fix *Pipeline.getResults should close pipeline on error</li> <li>Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)</li> <li>Fix deallocation of invalidated cached statements in a transaction</li> <li>Handle invalid sslkey file</li> <li>Fix scan float4 into sql.Scanner</li> <li>Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.</li> </ul> <h1>5.5.3 (February 3, 2024)</h1> <ul> <li>Fix: prepared statement already exists</li> <li>Improve CopyFrom auto-conversion of text-ish values</li> <li>Add ltree type support (Florent Viel)</li> <li>Make some properties of Batch and QueuedQuery public (Pavlo Golub)</li> <li>Add AppendRows function (Edoardo Spadolini)</li> <li>Optimize convert UUID [16]byte to string (Kirill Malikov)</li> <li>Fix: LargeObject Read and Write of more than ~1GB at a time (Mitar)</li> </ul> <h1>5.5.2 (January 13, 2024)</h1> <ul> <li>Allow NamedArgs to start with underscore</li> <li>pgproto3: Maximum message body length support (jeremy.spriet)</li> <li>Upgrade golang.org/x/crypto to v0.17.0</li> <li>Add snake_case support to RowToStructByName (Tikhon Fedulov)</li> <li>Fix: update description cache after exec prepare (James Hartig)</li> <li>Fix: pipeline checks if it is closed (James Hartig and Ryan Fowler)</li> <li>Fix: normalize timeout / context errors during TLS startup (Samuel Stauffer)</li> <li>Add OnPgError for easier centralized error handling (James Hartig)</li> </ul> <h1>5.5.1 (December 9, 2023)</h1> <ul> <li>Add CopyFromFunc helper function. (robford)</li> <li>Add PgConn.Deallocate method that uses PostgreSQL protocol Close message.</li> <li>pgx uses new PgConn.Deallocate method. This allows deallocating statements to work in a failed transaction. This fixes a case where the prepared statement map could become invalid.</li> <li>Fix: Prefer driver.Valuer over json.Marshaler for json fields. (Jacopo)</li> <li>Fix: simple protocol SQL sanitizer previously panicked if an invalid $0 placeholder was used. This now returns an error instead. (maksymnevajdev)</li> <li>Add pgtype.Numeric.ScanScientific (Eshton Robateau)</li> </ul> <h1>5.5.0 (November 4, 2023)</h1> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jackc/pgx/commit/da6f2c98f2664b215b40b1606551fdfcc7f3ea5c"><code>da6f2c9</code></a> Update changelog</li> <li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"><code>c543134</code></a> SQL sanitizer wraps arguments in parentheses</li> <li><a href="https://github.com/jackc/pgx/commit/20344dfae83e672eff73a03324398543a1d87f43"><code>20344df</code></a> Check for overflow on uint16 sizes in pgproto3</li> <li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"><code>adbb38f</code></a> Do not allow protocol messages larger than ~1GB</li> <li><a href="https://github.com/jackc/pgx/commit/c1b0a01ca75ac9eb3a7dbc1396f583ab5dbf9557"><code>c1b0a01</code></a> Fix behavior of CollectRows to return empty slice if Rows are empty</li> <li><a href="https://github.com/jackc/pgx/commit/88dfc22ae4aa031783cda90841d5358edd85ff2c"><code>88dfc22</code></a> Fix simple protocol encoding of json.RawMessage</li> <li><a href="https://github.com/jackc/pgx/commit/2e84dccaf57b4fa803149884f2149dfa9e923593"><code>2e84dcc</code></a> *Pipeline.getResults should close pipeline on error</li> <li><a href="https://github.com/jackc/pgx/commit/d149d3fe5c50d1d98bd6265d3c928519ba4b3f4b"><code>d149d3f</code></a> Fix panic in TryFindUnderlyingTypeScanPlan</li> <li><a href="https://github.com/jackc/pgx/commit/046f497efb4e92caa9575a0e9c351e4906af14c6"><code>046f497</code></a> deallocateInvalidatedCachedStatements now runs in transactions</li> <li><a href="https://github.com/jackc/pgx/commit/8896bd697781ed4aee392daa90b90cde142319fe"><code>8896bd6</code></a> Handle invalid sslkey file</li> <li>Additional commits viewable in <a href="https://github.com/jackc/pgx/compare/v5.3.1...v5.5.4">compare view</a></li> </ul> </details> <br /> Updates `github.com/opencontainers/runc` from 1.1.14 to 1.2.8 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p> <blockquote> <h2>runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"</h2> <blockquote> <p>[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.</p> </blockquote> <p>This release contains fixes for three high-severity security vulnerabilities in runc (<a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a>, <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r">CVE-2025-52565</a>, and <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm">CVE-2025-52881</a>). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary <code>/proc</code> files.</p> <h3>Security</h3> <ul> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a> exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's <code>/dev/null</code> inode on top of the file. However, if an attacker can replace <code>/dev/null</code> with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.</p> </li> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r">CVE-2025-52565</a> is very similar in concept and application to <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a>, except that it exploits a flaw in <code>/dev/console</code> bind-mounts. When creating the <code>/dev/console</code> bind-mount (to <code>/dev/pts/$n</code>), if an attacker replaces <code>/dev/pts/$n</code> with a symlink then runc will bind-mount the symlink target over <code>/dev/console</code>. This issue affected all versions of runc >= 1.0.0-rc3.</p> </li> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm">CVE-2025-52881</a> is a more sophisticated variant of <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw">CVE-2019-19921</a>, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw">CVE-2019-19921</a> was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.</p> </li> </ul> <h3>Static Linking Notices</h3> <p>The <code>runc</code> binary distributed with this release are <em>statically linked</em> with the following <a href="https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html">GNU LGPL-2.1</a> licensed libraries, with <code>runc</code> acting as a "work that uses the Library":</p> <ul> <li><a href="https://github.com/seccomp/libseccomp">libseccomp</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/opencontainers/runc/blob/main/CHANGELOG.md">github.com/opencontainers/runc's changelog</a>.</em></p> <blockquote> <h2>[1.2.8] - 2025-11-05</h2> <blockquote> <p>鳥籠の中に囚われた屈辱を</p> </blockquote> <h3>Security</h3> <p>This release includes fixes for the following high-severity security issues:</p> <ul> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a> exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's <code>/dev/null</code> inode on top of the file. However, if an attacker can replace <code>/dev/null</code> with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.</p> </li> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r">CVE-2025-52565</a> is very similar in concept and application to <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a>, except that it exploits a flaw in <code>/dev/console</code> bind-mounts. When creating the <code>/dev/console</code> bind-mount (to <code>/dev/pts/$n</code>), if an attacker replaces <code>/dev/pts/$n</code> with a symlink then runc will bind-mount the symlink target over <code>/dev/console</code>. This issue affected all versions of runc >= 1.0.0-rc3.</p> </li> <li> <p><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm">CVE-2025-52881</a> is a more sophisticated variant of <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw">CVE-2019-19921</a>, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw">CVE-2019-19921</a> was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.</p> </li> </ul> <h2>[1.4.0-rc.2] - 2025-10-10</h2> <blockquote> <p>私の役目は信じるかどうかではない。行うかどうかだ。</p> </blockquote> <h3>libcontainer API</h3> <ul> <li>The deprecated <code>libcontainer/userns</code> package has been removed; use <code>github.com/moby/sys/userns</code> instead. (<a href="https://redirect.github.com/opencontainers/runc/issues/4910">#4910</a>, <a href="https://redirect.github.com/opencontainers/runc/issues/4911">#4911</a>)</li> </ul> <h3>Added</h3> <ul> <li>Allow setting <code>user.*</code> sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (<a href="https://redirect.github.com/opencontainers/runc/issues/4889">#4889</a>, <a href="https://redirect.github.com/opencontainers/runc/issues/4892">#4892</a>)</li> <li>Add support for using <code>clone3(2)</code>'s <code>CLONE_INTO_CGROUP</code> flag when configuring the <code>runc exec</code> process. This also included some internal changes to how we add processes to containers. (<a href="https://redirect.github.com/opencontainers/runc/issues/4822">#4822</a>, <a href="https://redirect.github.com/opencontainers/runc/issues/4812">#4812</a>, <a href="https://redirect.github.com/opencontainers/runc/issues/4920">#4920</a>)</li> <li>Add support for configuring the NUMA pmemory policy for a container with <code>set_mempolicy(2)</code><code>opencontainers/runtime-spec#1282</code><a href="https://redirect.github.com/opencontainers/runc/issues/4726">#4726</a>, <a href="https://redirect.github.com/opencontainers/runc/issues/4915">#4915</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/opencontainers/runc/commit/eeb7e6024f9ee43876301b1d23c353384fa6dcdd"><code>eeb7e60</code></a> VERSION: release v1.2.8</li> <li><a href="https://github.com/opencontainers/runc/commit/cdee962c391af84a922252c283bd065e5cabb34b"><code>cdee962</code></a> merge private security patches into ghsa-release-1.2.8</li> <li><a href="https://github.com/opencontainers/runc/commit/b4cb2f5436a1110a1de4eec7335a791d2b30a868"><code>b4cb2f5</code></a> rootfs: re-allow dangling symlinks in mount targets</li> <li><a href="https://github.com/opencontainers/runc/commit/ee56b8571cc81d41f85b069671bb6d33fd235cf1"><code>ee56b85</code></a> openat2: improve resilience on busy systems</li> <li><a href="https://github.com/opencontainers/runc/commit/2462b68fa2d6618480e6a4f615661ee6e762d13a"><code>2462b68</code></a> Merge pull request <a href="https://redirect.github.com/opencontainers/runc/issues/4943">#4943</a> from lifubang/backport-1.2-4934-4937</li> <li><a href="https://github.com/opencontainers/runc/commit/99e41a58f7a51cf1b6caa5bed58ffbe615193523"><code>99e41a5</code></a> ci: only run lint-extra job on PRs to main</li> <li><a href="https://github.com/opencontainers/runc/commit/f2a1c986629e82cffb3b7c01eee68405894f4783"><code>f2a1c98</code></a> CI: remove deprecated lima-vm/lima-actions/ssh</li> <li><a href="https://github.com/opencontainers/runc/commit/8f901856f96126285585e7343d7bc600013798fc"><code>8f90185</code></a> selinux: use safe procfs API for labels</li> <li><a href="https://github.com/opencontainers/runc/commit/948d6e9dbece33da25886f18c97a128c347e95ff"><code>948d6e9</code></a> rootfs: switch to fd-based handling of mountpoint targets</li> <li><a href="https://github.com/opencontainers/runc/commit/7aa42ade85d575294cf778b21edbd53c0171a3d4"><code>7aa42ad</code></a> libct: align param type for mountCgroupV1/V2 functions</li> <li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.1.14...v1.2.8">compare view</a></li> </ul> </details> <br /> Updates `github.com/ulikunitz/xz` from 0.5.11 to 0.5.14 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ulikunitz/xz/commit/7184815834c4777e8fa665946721d5fe114c2c35"><code>7184815</code></a> Preparation of release v0.5.14</li> <li><a href="https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"><code>88ddf1d</code></a> Address Security Issue GHSA-jc7w-c686-c4v9</li> <li><a href="https://github.com/ulikunitz/xz/commit/c8314b8f21e9c5e25b52da07544cac14db277e89"><code>c8314b8</code></a> Add new package xio with WriteCloserStack</li> <li><a href="https://github.com/ulikunitz/xz/commit/4f11dce79b9977ec2976a978d6c594ea1c23cf29"><code>4f11dce</code></a> Update README.md and SECURITY.md to address security questions</li> <li><a href="https://github.com/ulikunitz/xz/commit/f56ebbfaa2400067dcda8ade26ce912c2873ca08"><code>f56ebbf</code></a> TODO.md: fix a typo</li> <li>See full diff in <a href="https://github.com/ulikunitz/xz/compare/v0.5.11...v0.5.14">compare view</a></li> </ul> </details> <br /> Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/4e0068c0098be10d7025c99ab7c50ce454c1f0f9"><code>4e0068c</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/e79546e28b85ea53dd37afe1c4102746ef553b9c"><code>e79546e</code></a> ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li> <li><a href="https://github.com/golang/crypto/commit/f91f7a7c31bf90b39c1de895ad116a2bacc88748"><code>f91f7a7</code></a> ssh/agent: prevent panic on malformed constraint</li> <li><a href="https://github.com/golang/crypto/commit/2df4153a0311bdfea44376e0eb6ef2faefb0275b"><code>2df4153</code></a> acme/autocert: let automatic renewal work with short lifetime certs</li> <li><a href="https://github.com/golang/crypto/commit/bcf6a849efcf4702fa5172cb0998b46c3da1e989"><code>bcf6a84</code></a> acme: pass context to request</li> <li><a href="https://github.com/golang/crypto/commit/b4f2b62076abeee4e43fb59544dac565715fbf1e"><code>b4f2b62</code></a> ssh: fix error message on unsupported cipher</li> <li><a href="https://github.com/golang/crypto/commit/79ec3a51fcc7fbd2691d56155d578225ccc542e2"><code>79ec3a5</code></a> ssh: allow to bind to a hostname in remote forwarding</li> <li><a href="https://github.com/golang/crypto/commit/122a78f140d9d3303ed3261bc374bbbca149140f"><code>122a78f</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/c0531f9c34514ad5c5551e2d6ce569ca673a8afd"><code>c0531f9</code></a> all: eliminate vet diagnostics</li> <li><a href="https://github.com/golang/crypto/commit/0997000b45e3a40598272081bcad03ffd21b8adb"><code>0997000</code></a> all: fix some comments</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.41.0...v0.45.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/babylonlabs-io/vigilante/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lazar <lukic.lazar@yahoo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enable setting a NUMA memory policy for the container. New linux.mempolicy object contains inputs to the set_mempolicy(2) syscall.