chore(deps): update module github.com/containerd/containerd to v2 [security]

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.29 -> v2.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-46680

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

---

containerd user ID handling bypass allows runAsNonRoot evasion

CVE-2026-46680 / GHSA-fqw6-gf59-qr4w

More information

Details

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v2.0.0: containerd 2.0.0

Compare Source

Welcome to the v2.0.0 release of containerd!

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

See containerd 2.0 documentation for details on what is new and has changed in this release.

Highlights

• Allow sections of Plugins to be merged, and not overwritten as entire sections. (#​9982)
• Add Update API for sandbox controller (#​9903)
• Configure otel from env instead of config.toml (#​8970)
• Enable NRI by default (#​9744)
• Add PluginInfo to introspection API (#​9442)
• Remove overlayfs volatile option on temp mounts (#​9555)
• Expose usage of deprecated features (#​9258)
• Use Intel ISA-L's igzip if available (#​9200)
• Introduce top level config migration (#​9223)
• Add image delete target (#​8989)
• Remove LimitNOFILE from containerd.service (#​8924)
• Add support for image expiration during garbage collection (#​9022)
• Reduce the contention between ref lock and boltdb lock in content store (#​8792)
• Remove "containerd.io/restart.logpath" label (#​8264)
• Remove aufs snapshotter (#​8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Support arm64/v9 and minor variants (containerd/platforms#8)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#​10543)
• Remove cri-containerd-*.tar.gz release bundles (#​9096)

Container Runtime Interface (CRI)

• Use 'UserSpecifiedImage' from CRI to set the image-name annotation (#​10747)
• Fine-grained SupplementalGroups control (#​9737)
• Add support to set loopback to up (#​10238)
• KEP-3857: Recursive Read-only (RRO) mounts (#​9787)
• Add support for multiple subscribers to CRI container events (#​9661)
• Enable CDI by default (#​9621)
• Remove non-sandboxed CRI implementation (#​9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#​8287)
• Use sandboxed CRI by default (#​8994)
• Implement RuntimeConfig CRI call (#​8722)
• Add support for user namespaces (KEP-127) (#​8803)
• Remove CRI v1alpha2 (#​8276)

Go client

• Add api Go module and move all protos under api (#​10151)
• Move packages based on contributing guide (#​9365)
• Generalize plugin library (#​9214)
• Use github.com/containerd/log (#​9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#​10284)
• Skip "unknown" in image platform listing (#​10257)
• Update unpacker to fetch all provided content (#​10202)
• Enable Transfer service API to support plain HTTP (#​10024)
• Enable Transfer service to use registry configuration directory (#​9908)
• Disable the support for Schema 1 images (#​9765)
• Update Transfer service to add OCI descriptors to Progress structure (#​9630)
• Update import and export to allow references to missing content (#​9554)
• Add option to perform syncfs after pull (#​9401)
• Add image verifier transfer service plugin system based on a binary directory (#​8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#​10410)
• Add pprof to runc-shim (#​10242)
• Provide runtime options in plugin info (#​10251)
• Store bootstrap parameters in sandbox metadata (#​9736)
• Update apparmor to allow confined runc to kill containers (#​10123)
• Support vsock connection to task api (#​9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#​9320)
• Switch runc shim to task service v3 and fix restore (#​9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#​8268)
• Add annotations to CreateSandbox request (#​8960)
• Add SandboxMetrics (#​8680)
• Publish sandbox events (#​8602)
• Remove the CriuPath field from runc's options (#​8279)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#​8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Remove disable_cgroup from CRI config (#​10594)
• Disable the support for Schema 1 images (#​9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#​9320)
• Move client to subpackage (#​9316)
• Remove LimitNOFILE from containerd.service (#​8924)
• Remove CRI v1alpha2 (#​8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#​8262)
• Remove "containerd.io/restart.logpath" label (#​8264)
• Remove aufs snapshotter (#​8263)

Deprecations

• Update warnings for deprecated CRI config fields (#​10509)
• Add type alias for event Envelope (#​10279)
• Postpone removal of deprecated CRI config properties (#​9966)
• Deprecate go-plugin configuration option (#​9238)
• CNI conf_template in CRI is no longer deprecated (#​8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Kazuyoshi Kato
• Austin Vazquez
• Rodrigo Campos
• Danny Canter
• Abel Feng
• Mike Brown
• Kirtana Ashok
• Akhil Mohan
• Iceber Gu
• Gabriel Adrian Samfira
• Jin Dong
• Kohei Tokunaga
• Bjorn Neergaard
• Brian Goff
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Davanum Srinivas
• Paul "TBBle" Hampson
• Henry Wang
• Enrico Weigelt
• Laura Brehm
• Marat Radchenko
• Paweł Gronowski
• Shingo Omura
• Hsing-Yu (David) Chen
• Ilya Hanov
• Cardy.Tang
• Swagat Bora
• Aditi Sharma
• Amit Barve
• Bryant Biggs
• Evan Lezar
• James Jenkins
• Jordan Liggitt
• Kay Yan
• Markus Lehtonen
• Nashwan Azhari
• Shuaiyi Zhang
• Vinayak Goyal
• helen
• Alexandru Matei
• Anthony Nandaa
• Avi Deitcher
• Charity Kathure
• Cory Snider
• Ed Bartosh
• Etienne Champetier
• Kevin Parsons
• Michael Zappa
• Milas Bowman
• lengrongfu
• ningmingxiao
• yanggang
• zounengren
• Aditya Ramani
• Adrian Reber
• Amir M. Ghazanfari
• Antonio Ojea
• Artem Khramov
• Brad Davidson
• Chen Yiyang
• Chongyi Zheng
• Christian Muehlhaeuser
• Djordje Lukic
• Edgar Lee
• Eric Lin
• Ethan Lowman
• Jiang Liu
• June Rhodes
• Kern Walster
• Lei Jitang
• Lucas Rattz
• Mahamed Ali
• Maksim An
• Michael Crosby
• Peteris Rudzusiks
• Ray Burgemeestre
• Sam Edwards
• Samruddhi Khandale
• Sascha Grunert
• Steve Griffith
• Tony Fang
• Tõnis Tiigi
• VERNOU Cédric
• Vishal Reddy Gurrala
• Xiaojin Zhang
• Yang Yang
• hang.jiang
• harshitasao
• jerryzhuang
• roman-kiselenko
• zhanluxianshen
• Aaron Lehmann
• AbdelrahmanElawady
• Adrien Delorme
• Alex Couture-Beil
• Alex Ellis
• Alex Rodriguez
• Angelos Kolaitis
• Antonio Huete Jimenez
• Antti Kervinen
• Arash Haghighat
• Arkin Modi
• Ben Foster
• Benjamin Peterson
• Bin Tang
• Bin Xin
• BinBin He
• Brennan Kinney
• Changqing Li
• ChengenH
• ChengyuZhu6
• Christian Stewart
• Colin O'Dell
• Craig Ingram
• Daisy Rong
• David Porter
• David Son
• Derek Nola
• Eng Zer Jun
• Erikson Tung
• Fabiano Fidêncio
• Fahed Dorgaa
• Gabriela Cervantes
• Gary McDonald
• Iain Macdonald
• James Lakin
• Jan Dubois
• Jaroslav Jindrak
• Javier Maestro
• Jian Wang
• Jiongchi Yu
• Julien Balestra
• Kir Kolyshkin
• Kirill A. Korinsky
• Konstantin Khlebnikov
• Lei Liu
• Matteo Pulcini
• Mauri de Souza Meneguzzo
• Mike Baynton
• Niklas Gehlen
• Pan Yibo
• Paul Meyer
• Qasim Sarfraz
• Qiutong Song
• Reinhard Tartler
• Robbie Buxton
• Robert-André Mauchin
• Ruihua Wen
• Saket Jajoo
• Sameer
• Shengjing Zhu
• Shiming Zhang
• Shukui Yang
• StepSecurity Bot
• Talon
• Tariq Ibrahim
• Tianon Gravi
• Tim Hockin
• TinaMor
• Tobias Klauser
• Tomáš Virtus
• Wang Xinwen
• William Chen
• Xinyang Ge
• Yibo Zhuang
• Yuhang Wei
• Yury Gargay
• Zechun Chen
• Zhang Tianyang
• Zoe
• baijia
• bo.jiang
• bzsuni
• charles-chenzz
• chschumacher1994
• cormick
• guangli.bao
• guangwu
• jinda.ljd
• jingtao.liang
• krglosse
• pigletfly
• rokkiter
• wangxiang
• zhangpeng
• zhaojizhuang
• 吴小白
• 张钰
• 沈陵
• 谭九鼎

Dependency Changes

• dario.cat/mergo v1.0.1 new
• github.com/AdaLogics/go-fuzz-headers 1f10f66 -> e8a1dd7
• github.com/AdamKorcz/go-118-fuzz-build 5330a85 -> 2b5cbb2
• github.com/Microsoft/go-winio v0.6.0 -> v0.6.2
• github.com/Microsoft/hcsshim v0.10.0-rc.7 -> v0.12.9
• github.com/cenkalti/backoff/v4 v4.2.0 -> v4.3.0
• github.com/cespare/xxhash/v2 v2.2.0 -> v2.3.0
• github.com/checkpoint-restore/checkpointctl v1.3.0 new
• github.com/checkpoint-restore/go-criu/v7 v7.2.0 new
• github.com/cilium/ebpf v0.9.1 -> v0.11.0
• github.com/containerd/cgroups/v3 v3.0.1 -> v3.0.3
• github.com/containerd/console v1.0.3 -> v1.0.4
• github.com/containerd/containerd/api v1.8.0 new
• github.com/containerd/continuity v0.3.0 -> v0.4.4
• github.com/containerd/errdefs v1.0.0 new
• github.com/containerd/errdefs/pkg v0.3.0 new
• github.com/containerd/go-cni v1.1.9 -> v1.1.10
• github.com/containerd/go-runc v1.0.0 -> v1.1.0
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 new
• github.com/containerd/log v0.1.0 new
• github.com/containerd/nri v0.3.0 -> v0.8.0
• github.com/containerd/otelttrpc ea5083f new
• github.com/containerd/platforms v1.0.0-rc.0 new
• github.com/containerd/plugin v1.0.0 new
• github.com/containerd/ttrpc v1.2.1 -> v1.2.6
• github.com/containerd/typeurl/v2 v2.1.0 -> v2.2.2
• github.com/containerd/zfs/v2 v2.0.0-rc.0 new
• github.com/containernetworking/cni v1.1.2 -> v1.2.3
• github.com/containernetworking/plugins v1.2.0 -> v1.5.1
• github.com/containers/ocicrypt v1.1.6 -> v1.2.0
• github.com/cpuguy83/go-md2man/v2 v2.0.2 -> v2.0.5
• github.com/davecgh/go-spew v1.1.1 -> d8f796a
• github.com/distribution/reference v0.6.0 new
• github.com/emicklei/go-restful/v3 v3.10.1 -> v3.11.0
• github.com/felixge/httpsnoop v1.0.4 new
• github.com/fsnotify/fsnotify v1.6.0 -> v1.7.0
• github.com/fxamacker/cbor/v2 v2.7.0 new
• github.com/go-jose/go-jose/v4 v4.0.4 new
• github.com/go-logr/logr v1.2.3 -> v1.4.2
• github.com/golang/protobuf v1.5.2 -> v1.5.4
• github.com/google/go-cmp v0.5.9 -> v0.6.0
• github.com/google/uuid v1.3.0 -> v1.6.0
• github.com/gorilla/websocket v1.5.0 new
• github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 new
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 new
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 -> v2.22.0
• github.com/intel/goresctrl v0.3.0 -> v0.8.0
• github.com/klauspost/compress v1.16.0 -> v1.17.11
• github.com/mdlayher/socket v0.4.1 new
• github.com/mdlayher/vsock v1.2.1 new
• github.com/mistifyio/go-zfs/v3 v3.0.1 new
• github.com/moby/spdystream v0.2.0 -> v0.4.0
• github.com/moby/sys/mountinfo v0.6.2 -> v0.7.2
• github.com/moby/sys/sequential v0.5.0 -> v0.6.0
• github.com/moby/sys/signal v0.7.0 -> v0.7.1
• github.com/moby/sys/symlink v0.2.0 -> v0.3.0
• github.com/moby/sys/user v0.3.0 new
• github.com/moby/sys/userns v0.1.0 new
• github.com/munnerz/goautoneg a7dc8b6 new
• github.com/mxk/go-flowrate cca7078 new
• github.com/opencontainers/image-spec 3a7f492 -> v1.1.0
• github.com/opencontainers/runtime-spec v1.1.0-rc.1 -> v1.2.0
• github.com/opencontainers/runtime-tools 946c877 -> 2e043c6
• github.com/opencontainers/selinux v1.11.0 -> v1.11.1
• github.com/pelletier/go-toml/v2 v2.2.3 new
• github.com/pmezard/go-difflib v1.0.0 -> 5d4384e
• github.com/prometheus/client_golang v1.14.0 -> v1.20.5
• github.com/prometheus/client_model v0.3.0 -> v0.6.1
• github.com/prometheus/common v0.37.0 -> v0.55.0
• github.com/prometheus/procfs v0.8.0 -> v0.15.1
• github.com/sirupsen/logrus v1.9.0 -> v1.9.3
• github.com/stefanberger/go-pkcs11uri 78d3cae -> 7828495
• github.com/stretchr/testify v1.8.2 -> v1.9.0
• github.com/urfave/cli/v2 v2.27.5 new
• github.com/vishvananda/netlink v1.2.1-beta.2 -> v1.3.0
• github.com/vishvananda/netns 2eb08e3 -> v0.0.4
• github.com/x448/float16 v0.8.4 new
• github.com/xrash/smetrics 686a1a2 new
• go.etcd.io/bbolt v1.3.7 -> v1.3.11
• go.mozilla.org/pkcs7 432b235 -> v0.9.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 -> v0.56.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 new
• go.opentelemetry.io/otel v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/metric v0.37.0 -> v1.31.0
• go.opentelemetry.io/otel/sdk v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/trace v1.14.0 -> v1.31.0
• go.opentelemetry.io/proto/otlp v0.19.0 -> v1.3.1
• golang.org/x/crypto v0.1.0 -> v0.28.0
• golang.org/x/exp aacd6d4 new
• golang.org/x/mod v0.7.0 -> v0.21.0
• golang.org/x/net v0.7.0 -> v0.30.0
• golang.org/x/oauth2 v0.4.0 -> v0.22.0
• golang.org/x/sync v0.1.0 -> v0.8.0
• golang.org/x/sys v0.6.0 -> v0.26.0
• golang.org/x/term v0.5.0 -> v0.25.0
• golang.org/x/text v0.7.0 -> v0.19.0
• golang.org/x/time 90d013b -> v0.3.0
• google.golang.org/genproto/googleapis/api 5fefd90 new
• google.golang.org/genproto/googleapis/rpc 324edc3 new
• google.golang.org/grpc v1.53.0 -> v1.67.1
• google.golang.org/protobuf v1.28.1 -> v1.35.1
• k8s.io/api v0.26.2 -> v0.31.2
• k8s.io/apimachinery v0.26.2 -> v0.31.2
• k8s.io/apiserver v0.26.2 -> v0.31.2
• k8s.io/client-go v0.26.2 -> v0.31.2
• k8s.io/component-base v0.26.2 -> v0.31.2
• k8s.io/cri-api v0.26.2 -> v0.31.2
• k8s.io/klog/v2 v2.90.1 -> v2.130.1
• k8s.io/kubelet v0.31.2 new
• k8s.io/utils a5ecb01 -> 18e509b
• sigs.k8s.io/json f223a00 -> bc3834c
• sigs.k8s.io/structured-merge-diff/v4 v4.2.3 -> v4.4.1
• sigs.k8s.io/yaml v1.3.0 -> v1.4.0
• tags.cncf.io/container-device-interface v0.8.0 new
• tags.cncf.io/container-device-interface/specs-go v0.8.0 new

Previous release can be found at v1.7.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v1.7.31: containerd 1.7.31

Compare Source

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

Security Updates

• spdystream
  • CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

• Fix CNI issue where DEL is never executed after a restart (#​12931)
• Sanitize error before gRPC return to prevent possible credential leak in pod events (#​12805)
• Improve error message and add warning when concurrent container creation is detected (#​12744)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Maksym Pavlenko
• Akhil Mohan
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Henzie
• Michael Zappa
• Ricardo Branco
• Shachar Tal
• ningmingxiao
• yashsingh74

Changes

37 commits

• Prepare release notes for v1.7.31 (#​13221)
  • 7d2662653 Prepare release notes for v1.7.31
• update github.com/moby/spdystream v0.5.1 (#​13220)
  • 3f795c02a update github.com/moby/spdystream v0.5.1
• update to Go 1.25.9, 1.26.2 (#​13200)
  • 7b1e1b17b update to Go 1.25.9, 1.26.2
  • b673f2d42 update golangci-lint to v2.9.0 with go1.26 support
  • d88d8513a remove windows/arm from cross build
  • a763407b5 Ignore warnings for golangci-lint bump
  • 03dcd8360 ci: bump golangci from 6.5.2 to 7.0.0
• Update github.com/moby/spdystream v0.2.0->v0.5.0 (#​13176)
  • c08711218 Update github.com/moby/spdystream v0.2.0->v0.5.0
• Skip TestExportAndImportMultiLayer on s390x (#​13152)
  • 043548f6d Skip TestExportAndImportMultiLayer on s390x
• update runc binary to v1.3.5 (#​13059)
  • e99bd6050 [release/1.7] update runc binary to v1.3.5
• CODEOWNERS: mark Sam and Chris as owners for 1.7 (#​13069)
  • 3a3103aaf CODEOWNERS: mark Sam and Chris as owners for 1.7
• Fix vagrant on CI (#​13064)
  • 9b4cfa271 Ignore NOCHANGE error
• ci: modprobe xt_comment on almalinux (#​12959)
  • 53e9e73f0 ci: modprobe xt_comment on almalinux
• Fix TOCTOU race bug in tar extraction (#​12970)
  • 61c2733fd Fix TOCTOU race bug in tar extraction
• Fix CNI issue where CNI DEL is never executed (#​12931)
  • f854c1890 fix issue where cni del is never executed
• apparmor: explicitly set abi/3.0 (#​12899)
  • 5c091d92e apparmor: explicitly set abi/3.0
• backport: integration: Fix TestImageLoad() failure on CI (#​12908)
  • 177ac10fe integration: Fix TestImageLoad() failure on CI
• update to go1.24.13, go1.25.7 (#​12873)
  • 56da43d0f update to go1.24.13, go1.25.7
  • 5cb3cb9ba ci: bump go 1.24.12, 1.25.6
• fix: sanitize error before gRPC return to prevent credential leak in pod events (#​12805)
  • b1fa03843 fix: sanitize error before gRPC return to prevent credential leak in pod events
• cri: emit warning for concurrent CreateContainer (#​12744)
  • e2c93a42c cri: emit warning for concurrent CreateContainer

Dependency Changes

• github.com/moby/spdystream v0.2.0 -> v0.5.1

Previous release can be found at v1.7.30

v1.7.30: containerd 1.7.30

Compare Source

Welcome to the v1.7.30 release of containerd!

The thirtieth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Container Runtime Interface (CRI)

• Fix NRI dropping requested CDI devices silently (#​12650)
• Redact all query parameters in CRI error logs (#​12551)

Runtime

• Update runc binary to v1.3.4 (#​12619)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Austin Vazquez
• Mike Brown
• Wei Fu
• Andrey Noskov
• CrazyMax
• Davanum Srinivas
• Jin Dong
• Krisztian Litkey
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Samuel Karp

Changes

26 commits

• Prepare release notes for v1.7.30 (#​12652)
  • 3d0ca6d2e Prepare release notes for v1.7.30
• Fix NRI dropping requested CDI devices silently (#​12650)
  • 0bc74f47e cri,nri: don't drop requested CDI devices silently.
• script/setup/install-cni: install CNI plugins v1.9.0 (#​12660)
  • 7db16b562 script/setup/install-cni: install CNI plugins v1.9.0
• go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) (#​12640)
  • bca897b47 go.mod: golang.org/x/crypto v0.45.0
  • 37cbd2224 CI: drop Go 1.23
  • ee49d1747 Update Go requirements in BUILDING
• ci: bump Go 1.24.11, 1.25.5 (#​12627)
  • 145978224 ci: bump Go 1.24.11, 1.25.5
  • 3dbadfaa1 ci: bump Go 1.24.10, 1.25.4
  • 2bac971f0 ci(release): set GO_VERSION in Dockerfile
• Update runc binary to v1.3.4 (#​12619)
  • 34b89a574 runc: Update runc binary to v1.3.4
• ci: update CIFuzz actions to support Ubuntu 24.04 (#​12635)
  • 6e0dd8956 ci: update CIFuzz actions to support Ubuntu 24.04
• build(deps): bump github.com/opencontainers/selinux (#​12591)
  • 3eea2a4af build(deps): bump github.com/opencontainers/selinux
• remove sha256-simd (#​12576)
  • 1194f5128 remove sha256-simd
• .github: skip 5 critest cases for window-2022 (#​12586)
  • ce2d3a67f .github: skip 5 critest cases in window CI pipeline
• Redact all query parameters in CRI error logs (#​12551)
  • 65271ea89 fix: redact all query parameters in CRI error logs

Dependency Changes

• github.com/cyphar/filepath-securejoin v0.5.1 new
• github.com/opencontainers/selinux v1.11.0 -> v1.13.1
• golang.org/x/crypto v0.40.0 -> v0.45.0
• golang.org/x/mod v0.26.0 -> v0.29.0
• golang.org/x/net v0.42.0 -> v0.47.0
• golang.org/x/sync v0.16.0 -> v0.18.0
• golang.org/x/sys v0.34.0 -> v0.38.0
• golang.org/x/term v0.33.0 -> v0.37.0
• golang.org/x/text v0.27.0 -> v0.31.0

Previous release can be found at v1.7.29

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudaa-renovate]

ℹ Artifact update notice

File name: artifact-scanner/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/containerd/containerd/v2	v2.0.0 -> v2.0.0