From acc03578adf40d0d9914897dbcaf5133894d4211 Mon Sep 17 00:00:00 2001 From: l-qing <9499086+l-qing@users.noreply.github.com> Date: Sun, 7 Jun 2026 16:34:22 +0000 Subject: [PATCH 1/3] chore(go): bump go directive to 1.26.4 to rebuild with fixed Go stdlib Rebuild released binaries with Go 1.26.4 to clear stdlib CVE-2026-42504, CVE-2026-27145 and CVE-2026-42507. The Alauda release workflow resolves the toolchain via setup-go go-version-file: go.mod, so bumping this directive is sufficient for the next -alauda-N release to build on Go 1.26.4. --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index ce2e724bf53..d853c3133bd 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/anchore/syft -go 1.26.3 +go 1.26.4 require ( github.com/BurntSushi/toml v1.6.0 From d8c8472c76f366516b6385fb9bed3e7c910a7942 Mon Sep 17 00:00:00 2001 From: qingliu Date: Sun, 7 Jun 2026 16:46:40 +0000 Subject: [PATCH 2/3] fix(deps): bump containerd/v2 to v2.2.4 to fix CVE-2026-46680 --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index d853c3133bd..f8ca60c22d9 100644 --- a/go.mod +++ b/go.mod @@ -102,7 +102,7 @@ require ( github.com/DataDog/zstd v1.5.5 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect + github.com/Microsoft/hcsshim v0.14.1 // indirect github.com/ProtonMail/go-crypto v1.4.0 // indirect github.com/STARRY-S/zip v0.2.3 // indirect github.com/agext/levenshtein v1.2.1 // indirect; indirectt @@ -308,7 +308,7 @@ require ( github.com/clipperhouse/uax29/v2 v2.6.0 // indirect github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect github.com/containerd/cgroups/v3 v3.1.2 // indirect - github.com/containerd/containerd/v2 v2.2.1 // indirect + github.com/containerd/containerd/v2 v2.2.4 // indirect github.com/containerd/plugin v1.0.0 // indirect github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect diff --git a/go.sum b/go.sum index 842f35d63a6..76bbf939063 100644 --- a/go.sum +++ b/go.sum @@ -101,8 +101,8 @@ github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSC github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ= -github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c= +github.com/Microsoft/hcsshim v0.14.1 h1:CMuB3fqQVfPdhyXhUqYdUmPUIOhJkmghCx3dJet8Cqs= +github.com/Microsoft/hcsshim v0.14.1/go.mod h1:VnzvPLyWUhxiPVsJ31P6XadxCcTogTguBFDy/1GR/OM= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -298,8 +298,8 @@ github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8 github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw= github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o= github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM= -github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk= -github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU= +github.com/containerd/containerd/v2 v2.2.4 h1:8x2UdXqww7NYqGNabQ7i1nAgB5LegzjC9KQzO/900iA= +github.com/containerd/containerd/v2 v2.2.4/go.mod h1:YBcTO8D9149QY9zNmUjy04Mhuc4DlrZQ8FIOwKZEM7o= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= From 217cc9dfb13745201937de4bbc9242677b59f576 Mon Sep 17 00:00:00 2001 From: qingliu Date: Sun, 7 Jun 2026 17:44:51 +0000 Subject: [PATCH 3/3] ci: re-trigger validations The Build-Snapshot-Artifacts job was stuck queued for ~50min waiting on an ephemeral runs-on runner. Re-trigger to requeue a fresh provisioning.