Skip to content

Commit ed6780a

Browse files
spahuja-harnessspahuja-harness
authored
fix: [CI-21812]: Upgrade moby/buildkit to v0.28.1 to fix CVE-2026-33747 and CVE-2026-33748 (#58)
Both CVEs (CVSS 8.4 and 8.0) affect moby/buildkit < v0.28.1. Upgraded from v0.21.0 to v0.28.1. buildkit v0.28.1 requires docker/cli v29, which is incompatible with harness/nektos-act/v2 (uses removed v28 APIs). Added a replace directive to pin docker/cli to v28.0.4 at compile time while satisfying buildkit's declared dependency on v29.2.1. Verified with govulncheck: 0 vulnerabilities found in code or imported packages. AI-Session-Id: e5fffb26-30d0-4e53-aa03-bc09d36c2599 AI-Tool: claude-code AI-Model: global.anthropic.claude-sonnet-4-6
1 parent 2e93c04 commit ed6780a

2 files changed

Lines changed: 111 additions & 102 deletions

File tree

go.mod

Lines changed: 35 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/drone/plugin
22

3-
go 1.25.0
3+
go 1.25.5
44

55
toolchain go1.25.8
66

@@ -13,54 +13,58 @@ require (
1313
github.com/harness/nektos-act v1.1.0
1414
github.com/harness/nektos-act/v2 v2.0.0
1515
github.com/joho/godotenv v1.5.1
16-
github.com/klauspost/compress v1.18.0
16+
github.com/klauspost/compress v1.18.4
1717
github.com/pkg/errors v0.9.1
1818
github.com/rogpeppe/go-internal v1.14.1
19-
github.com/stretchr/testify v1.10.0
20-
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
19+
github.com/stretchr/testify v1.11.1
20+
golang.org/x/exp v0.0.0-20250911091902-df9299821621
2121
gopkg.in/yaml.v2 v2.4.0
2222
gopkg.in/yaml.v3 v3.0.1
2323
)
2424

25+
require (
26+
cyphar.com/go-pathrs v0.2.1 // indirect
27+
github.com/moby/term v0.5.2 // indirect
28+
)
29+
2530
require (
2631
dario.cat/mergo v1.0.1 // indirect
2732
github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
28-
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
2933
github.com/Masterminds/semver v1.5.0 // indirect
3034
github.com/Microsoft/go-winio v0.6.2 // indirect
31-
github.com/ProtonMail/go-crypto v1.1.6 // indirect
35+
github.com/ProtonMail/go-crypto v1.3.0 // indirect
3236
github.com/adrg/xdg v0.5.3 // indirect
3337
github.com/andreaskoch/go-fswatch v1.0.0 // indirect
3438
github.com/bmatcuk/doublestar/v4 v4.8.0 // indirect
35-
github.com/cloudflare/circl v1.6.1 // indirect
39+
github.com/cloudflare/circl v1.6.3 // indirect
3640
github.com/containerd/containerd v1.7.30 // indirect
3741
github.com/containerd/log v0.1.0 // indirect
38-
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
42+
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
3943
github.com/creack/pty v1.1.24 // indirect
40-
github.com/cyphar/filepath-securejoin v0.5.1 // indirect
44+
github.com/cyphar/filepath-securejoin v0.6.0 // indirect
4145
github.com/davecgh/go-spew v1.1.1 // indirect
4246
github.com/distribution/reference v0.6.0 // indirect
43-
// NOTE: CVE-2025-15558 (CVSS 8.0) affects docker/cli v28.0.4, fixed in v29.2.0
44-
// Cannot upgrade: github.com/harness/nektos-act/v2 v2.0.0 incompatible with docker/cli v29.x API changes
45-
// Upstream nektos/act v0.2.84 still uses docker/cli v28.4.0
46-
// CVE is Windows-specific; impact limited for Linux-only builds
47-
// Tracking: Upgrade when harness/nektos-act supports docker/cli v29+
48-
github.com/docker/cli v28.0.4+incompatible // indirect
47+
// NOTE: docker/cli is declared as v29.2.1 (required by moby/buildkit v0.28.1) but pinned to v28.0.4
48+
// via replace directive below. nektos-act/v2 uses docker/cli v28 APIs (e.g. ListOpts.GetAll)
49+
// that were removed in v29. The replace keeps compilation working until nektos-act supports v29.
50+
// CVE-2025-15558 (CVSS 8.0, Windows-only) remains unresolved; limited impact for Linux-only builds.
51+
// Tracking: Remove replace when harness/nektos-act supports docker/cli v29+
52+
github.com/docker/cli v29.2.1+incompatible // indirect
4953
github.com/docker/distribution v2.8.2+incompatible // indirect
5054
github.com/docker/docker v28.0.4+incompatible // indirect
51-
github.com/docker/docker-credential-helpers v0.9.3 // indirect
52-
github.com/docker/go-connections v0.5.0 // indirect
55+
github.com/docker/docker-credential-helpers v0.9.5 // indirect
56+
github.com/docker/go-connections v0.6.0 // indirect
5357
github.com/docker/go-units v0.5.0 // indirect
5458
github.com/emirpasic/gods v1.18.1 // indirect
5559
github.com/fatih/color v1.18.0 // indirect
5660
github.com/felixge/httpsnoop v1.0.4 // indirect
5761
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
5862
github.com/go-git/go-billy/v5 v5.6.2 // indirect
59-
github.com/go-logr/logr v1.4.2 // indirect
63+
github.com/go-logr/logr v1.4.3 // indirect
6064
github.com/go-logr/stdr v1.2.2 // indirect
6165
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
6266
github.com/gogo/protobuf v1.3.2 // indirect
63-
github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
67+
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
6468
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
6569
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
6670
github.com/harness-community/docker-cli-v23 v23.0.6+incompatible // indirect
@@ -78,9 +82,9 @@ require (
7882
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
7983
github.com/mitchellh/go-homedir v1.1.0 // indirect
8084
github.com/mitchellh/mapstructure v1.1.2 // indirect
81-
github.com/moby/buildkit v0.21.0 // indirect
85+
github.com/moby/buildkit v0.28.1 // indirect
8286
github.com/moby/docker-image-spec v1.3.1 // indirect
83-
github.com/moby/patternmatcher v0.6.0 // indirect
87+
github.com/moby/patternmatcher v0.6.1 // indirect
8488
github.com/moby/sys/sequential v0.6.0 // indirect
8589
github.com/moby/sys/user v0.4.0 // indirect
8690
github.com/moby/sys/userns v0.1.0 // indirect
@@ -96,7 +100,7 @@ require (
96100
github.com/russross/blackfriday/v2 v2.1.0 // indirect
97101
github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
98102
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
99-
github.com/sirupsen/logrus v1.9.3 // indirect
103+
github.com/sirupsen/logrus v1.9.4 // indirect
100104
github.com/skeema/knownhosts v1.3.1 // indirect
101105
github.com/spf13/cobra v1.9.1 // indirect
102106
github.com/spf13/pflag v1.0.6 // indirect
@@ -105,18 +109,20 @@ require (
105109
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
106110
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
107111
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
108-
go.etcd.io/bbolt v1.4.0 // indirect
109-
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
110-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
111-
go.opentelemetry.io/otel v1.35.0 // indirect
112-
go.opentelemetry.io/otel/metric v1.35.0 // indirect
113-
go.opentelemetry.io/otel/trace v1.35.0 // indirect
112+
go.etcd.io/bbolt v1.4.3 // indirect
113+
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
114+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
115+
go.opentelemetry.io/otel v1.38.0 // indirect
116+
go.opentelemetry.io/otel/metric v1.38.0 // indirect
117+
go.opentelemetry.io/otel/trace v1.38.0 // indirect
114118
golang.org/x/crypto v0.48.0 // indirect
115119
golang.org/x/net v0.51.0 // indirect
116120
golang.org/x/sync v0.19.0 // indirect
117121
golang.org/x/sys v0.41.0 // indirect
118122
golang.org/x/term v0.40.0 // indirect
119123
golang.org/x/text v0.34.0 // indirect
120-
google.golang.org/protobuf v1.36.6 // indirect
124+
google.golang.org/protobuf v1.36.11 // indirect
121125
gopkg.in/warnings.v0 v0.1.2 // indirect
122126
)
127+
128+
replace github.com/docker/cli v29.2.1+incompatible => github.com/docker/cli v28.0.4+incompatible

0 commit comments

Comments
 (0)