Skip to content

Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY]#111

Open
bootc-bot[bot] wants to merge 1 commit intomainfrom
bootc-renovate/go-github.com-containers-podman-v5-vulnerability
Open

Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY]#111
bootc-bot[bot] wants to merge 1 commit intomainfrom
bootc-renovate/go-github.com-containers-podman-v5-vulnerability

Conversation

@bootc-bot
Copy link
Copy Markdown
Contributor

@bootc-bot bootc-bot Bot commented Sep 5, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
github.com/containers/podman/v5 v5.0.1v5.8.2 age confidence

Improper Input Validation in Buildah and Podman

CVE-2024-9407 / GHSA-fhqq-8f65-5xfc

More information

Details

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Podman Improper Certificate Validation; machine missing TLS verification

CVE-2025-6032 / GHSA-65gg-3w2w-hr4h

More information

Details

Impact

The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.

Patches

containers/podman@726b506
Fixed in v5.5.2

Workarounds

Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

podman kube play symlink traversal vulnerability

CVE-2025-9566 / GHSA-wp3j-xq48-xpjw

More information

Details

Impact

The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file.
This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.

Requirements to exploit:

podman kube play must be used with a ConfigMap or Secret volume mount AND must be run more than once on the same volume. All the attacker has to do is create the malicious symlink on the volume the first time it is started. After that all following starts would follow the symlink and write to the host location.

Patches

Fixed in podman v5.6.1
containers/podman@43fbde4

Workarounds

Don't use podman kube play with ConfigMap or Secret volume mounts.

PR with test for CI

Adding on 9/8/2025 by @​TomSweeneyRedHat , this is the PR containing the test ihttps://github.com/containers/podman/pull/27001/27001

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

PowerShell Command Injection in Podman HyperV Machine

CVE-2026-33414 / GHSA-hc8w-h2mf-hp59

More information

Details

Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

Affected Code

File: pkg/machine/hyperv/stubber.go:647

resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)
Root Cause

PowerShell evaluates $() subexpressions inside double-quoted strings before executing the outer command. The fmt.Sprintf call places the user-controlled image path directly into double quotes without escaping or sanitization.

Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.

Patch

containers/podman@571c842

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

Credit

We like to thank Sang-Hoon Choi (@​KoreaSecurity) for reporting this issue to us.

Severity

  • CVSS Score: 4.0 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

containers/podman (github.com/containers/podman/v5)

v5.8.2

Compare Source

Security
  • This release addresses CVE-2026-33414, where the podman machine init --image command when run on Windows using the Hyper-V backend can run Powershell-escaped commands from the user-specified image path on in a Powershell session on the host (GHSA-hc8w-h2mf-hp59).
Bugfixes
  • Fixed a bug where containers with the unless-stopped restart policy would not restart after a reboot when podman-restart.service was enabled (#​28152).
  • Fixed a bug where setting Entrypoint="" in a Quadlet .container file did not clear the container's entrypoint (#​28213).
  • Fixed a bug where setting a HealthCmd in a Quadlet .container file to a command that included double-quotes (") would result in a nonfunctional healthcheck due to a parsing issue (#​28409).
  • Fixed a bug where FreeBSD systems could panic when inspecting containers created with the host network mode (#​28289).
API
  • Fixed a bug where the Libpod System Check endpoint could perform operations with bad data after returning a 400 error (#​28350).
  • Fixed a bug where the remote attach API for containers (Libpod & Compat) could panic due to a rare race condition (#​28277).
  • Fixed a bug where the Secret Create API could not create functional secrets using the shell driver due to options from the default driver being improperly added.
Misc
  • Updated Buildah to v1.43.1
  • Updated the containers/common library to v0.67.1
  • Updated the containers/image library to v5.39.2

v5.8.1

Compare Source

Bugfixes
  • Fixed a critical bug where automatic migration from BoltDB to SQLite after a reboot could perform a partial migration, with some containers in SQLite and some remaining in BoltDB, when Quadlets were in use (#​28215). For those who encountered this bug with 5.8.0 there is no way to automatically recover. If you do not have persistent containers/pods/volumes (i.e. all containers are run using Quadlets) then the easiest option is to move the db.sql file in Podman's storage directory to db.sql.bak (or similar) and reboot again with v5.8.1 to attempt another migration. Please contact the maintainers with any issues during migration and we will assist as able.

v5.8.0

Compare Source

Features
  • The podman quadlet install command can now install files which contain multiple separate Quadlet files. The files must be separated with a --- delimeter on a new line, and each section must begin with a # FileName=<name> line to name the new Quadlet (#​27384).
  • Quadlet .container files now support a new key, AppArmor, for configuring the container's AppArmor profile (#​27095).
  • When running the podman artifact add command against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#​26321).
  • The podman update command now features a new option, --ulimit, to update container ulimits (#​26381).
  • The podman exec command now features a new option, --no-session, which disables tracking of the exec session to improve performance and startup time (#​26588).
Changes
  • Podman will now automatically attempt to migrate legacy BoltDB databases to SQLite when the system reboots. This is necessary as support for BoltDB will be removed in Podman 6.0 in May. If automatic migration is not possible, a new option, podman system migrate --migrate-db, will manually force a migration.
  • The podman secret create - command no longer requires that the secret be provided through a pipe, and instead allows typing the secret through the terminal (#​27879).
Bugfixes
  • Fixed a bug where containers created by podman play kube with a healthcheck using the initialDelaySeconds option would run healthchecks before the initial delay had expired (#​27678).
  • Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits.
  • Fixed a bug where the podman export command would emit a Mount event instead of an Export event.
  • Fixed a bug where the podman kube play command incorrectly handled precedence between environment variables set by both the envFrom and env fields (#​27287).
  • Fixed a bug where the podman kube play command would panic when parsing Pod YAML missing the image field (#​27784).
  • Fixed a bug where the podman volume mount command returned empty paths when volumes were handled by a plugin driver (#​27858).
  • Fixed a bug where containers created with --rootfs instead of from an image would show that they had a healthcheck in the starting state even if no healthcheck was defined (#​27651).
  • Fixed a bug where the podman build command's --pull=newer option did not function correctly (#​22845).
  • Fixed a bug where the RequiresMountsFor field in Quadlet .container files incorrectly handled bind-mount paths which contained spaces.
  • Fixed a bug where the remote Podman client's podman run --detach-keys option did not accept an empty string (IE, no detach keys) (#​27414).
  • Fixed a bug where the remove Podman client's podman build --secret ... env=VAR option would incorrectly try to read the environment variable on the server side, instead of from the client (#​27494).
  • Fixed a bug where the podman artifact push and podman artifact pull commands ignored authentication credentials given by the --authfile option (#​27421).
  • Fixed a bug where Windows paths were incorrectly handled under some circumstances when using the HyperV machine provider (#​27571).
  • Fixed a bug where the podman run --pod-id-file option was not properly validated, allowing the creation of containers in pods with improper user namespace configuration (#​26848).
API
  • Added new APIs for interacting with Quadlets, including GET /libpod/quadlets/{name}/file (print contents of a Quadlet file), GET /libpod/quadlets/{name}/exists (check if the given Quadlet exists), POST /libpod/quadlets (install one or more Quadlets), DELETE /libpod/quadlets (remove one or more Quadlets), and DELETE /libpod/quadlets/{name} (remove a single Quadlet).
  • Fixed a bug where the Compat and Libpod Logs endpoints for Containers did not use nanosecond-level precision for reported timestamps (#​27961).
  • Fixed a bug where the Compat Create endpoint for Containers incorrectly handled healthcheck commands with arguments containing spaces (#​26519).
  • Fixed a bug where the Compat Remove endpoint for Secrets was misnamed as DELETE /secret/{name} instead of DELETE /secrets/{name} (#​27548).
Misc
  • Updated Buildah to v1.43.0
  • Updated the containers/storage library v1.62.0
  • Updated the containers/image library to v5.39.1
  • Updated the containers/common library to v0.67.0

v5.7.1

Compare Source

Bugfixes
  • Fixed a bug where adding devices to emulated Linux containers on FreeBSD did not work.
  • Fixed a bug where the podman system migrate command could panic under certain circumstances when run rootless.
  • Fixed a bug where Podman would sometimes not correctly recreate the rootless user namespace when Conmon and the rootless pause process were unexpectedly killed.
  • Fixed a bug where the podman kube play command could leak file descriptors.
Misc
  • Updated Buildah to v1.42.2
  • Updated containers/common to v0.66.1

v5.7.0

Compare Source

Security
  • This release addresses CVE-2025-52881, where arbitrary write gadgets and procfs write redirects allowed runc container escape and denial of service.
Features
  • The remote Podman client and podman system service API server now support encrypting connections with TLS and mTLS, including client authentication by certificate (#​24583).
  • The podman system connection add command can now create connections to TCP sockets with TLS and mTLS encryption.
  • The podman run and podman create commands now support two new options, --creds and --cert-dir, to manage logging into registries to pull images.
  • The podman kube play and podman kube down commands can now accept multiple files as input, creating or removing more than one pod or deployment with the same command (#​26274).
  • The podman kube play command now supports a new option, --no-pod-prefix, to disable prefixing container names with pod names. Please note that this can cause pods to fail to create if the pod shares a name with a container (#​26396).
  • The podman machine init command now supports a new option, --tls-verify, to control whether the machine image can be pulled from registries without a trusted TLS certificate, with the default being true (TLS verification on) (#​26517).
  • When running the podman image load and podman build commands against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#​26321).
  • A default location for container log files when using the k8s-file log driver can now be specified with the log_path option in containers.conf.
  • Default flags for the OCI runtime can now be set with the runtimes_flags option in containers.conf.
  • The podman artifact remove command can now accept multiple arguments, for example, podman artifact rm artifact1 artifact2.
  • The podman wait command now supports a new option, --return-on-first, which causes podman wait to return after any container matches the condition, as opposed to waiting for all containers to match (#​26691).
  • The podman container restore command now supports a new option, --tcp-close, allowing containers with active TCP connections to be restored multiple times.
  • Quadlet now features support for a new file type, .artifact, allowing OCI artifacts to be managed with Quadlet (#​25778).
  • Quadlet .container files now support a new key, HttpProxy, to disable the automatic forwarding of HTTP proxy options from the host into the container (#​26925).
  • Quadlet .pod files now support a new key, StopTimeout, to configure the stop timeout for the pod (#​27120).
  • Quadlet .build files now support two new keys, BuildArg and IgnoreFile, to specify build arguments and an ignore file (#​27065 and #​27268).
  • Quadlet .kube files now support multiple YAML files in a single .kube file.
  • Quadlet now supports templated dependencies for volumes and networks (#​25136).
  • The podman quadlet install command now supports a new option, --replace, which will replace any existing Quadlet with a conflicting name (#​26930).
  • The podman quadlet print command now has a new alias, podman quadlet cat (#​27296).
  • The remote Podman client's podman artifact remove command now supports the --all option.
  • The podman artifact add command now supports a new option, --replace, which will replace any existing artifact with the given name (#​27082).
  • The podman artifact rm command now supports a new option, --ignore, which will suppress errors when attempting to remove an artifact that does not exist (#​27084).
  • The podman artifact list command now includes artifact creation time in its output (#​27314).
  • The podman artifact list --format option now supports two new format keys, VirtualSize, returning the size of the artifact in integer bytes, and CreatedAt, returning the time the artifact was created as an RFC3339 timestamp (the existing Size and Created fields returned human-readable information) (#​27085).
  • The podman artifact inspect command now supports a new option, --format, to return specific information about an artifact with user-specified formatting (#​27112).
Changes
  • In preparation for a planned removal of the BoltDB database in Podman 6.0, a warning has been added for installations still using BoltDB. These warnings were added in Podman 5.6, but were not visible by default; they now are. They can be suppressed with the SUPPRESS_BOLTDB_WARNING=true environment variable.
  • A new Windows installer has been introduced with a simpler single MSI architecture that supports both user-scope (no admin required) and machine-scope installations. Note: To use the new installer, users must uninstall existing Podman installations before using the new installer, but all containers, images, machines, and other data will be preserved. The old installer is still provided to ensure backwards compatibility, though it will be removed in a future release (#​22994 and #​25968).
  • Podman now requires Go 1.24.
  • When the -p/--publish and --network=ns:/path options are used together when creating a container, Podman will not warn that the -p option will be ignored as an existing namespace is in use (this has always been the case, but Podman now prints a warning about it) (#​26663).
  • The podman stats command now provides additional information about container resource utilization when run on FreeBSD.
  • Shell autocompletion has been enabled for the --sysctl option to podman create and podman run, and the --interface-name option to podman network create.
  • Artifacts created by Podman now include a creation timestamp by default, stored in the org.opencontainers.image.created annotation (#​27081).
  • The podman inspect command can now inspect artifacts.
  • The podman artifact add command can now override the org.opencontainers.image.title annotation in created artifacts.
  • Podman can now optionally be built with Sequoia-PGP support. When so built, the --sign-by-sq-fingerprint option allows signing images using Seqoia-PGP keys.
Bugfixes
  • Fixed a bug where the --filter ancestor= option to podman ps required complete matches, unlike Docker (which matched substrings) (#​26623).
  • Fixed a bug where the --filter label= option to podman events did not support key-only matches (as podman os --filter label= does) (#​26702).
  • Fixed a bug where Quadlet could panic when a Mount was given without a source being specified.
  • Fixed a bug where Quadlet would fail to generate for a .build file when a systemd specifier was used in the [Build] section (#​26746).
  • Fixed a bug where the podman info command could panic when /proc/sys/fs/binfmt_misc was not mounted.
  • Fixed a bug where the remote Podman client could lose some initial bytes of output from attach sessions (podman run, podman exec, podman attach) due to a race condition (#​26951).
  • Fixed a bug where the podman build command was ignoring SBOM related options (#​23915).
  • Fixed a bug where the --userns=ns:/path option to podman create and podman run was broken with runc 1.1.11 and higher (#​27148).
  • Fixed a bug where podman machine on Windows would always re-pull machine images when using the WSL provider, even if an the image had already been pulled and was present on disk.
API
  • Added a new API endpoint to list quadlets (GET /libpod/quadlets/json).
  • The Compat Inspect endpoint for Images no longer includes the ContainerConfig field. To access image configuration, use the Config field instead. This matches changes made by Docker in the v1.45 API.
  • Fixed a bug where the Stats and Commit endpoints for Containers (compat & libpod), the Push, Commit, Push, and Pull endpoints for Images (compat & libpod), and the Push endpoint for Manifests (libpod) were not returning a Content-Type header.
Misc
  • Error messages returned when an incomplete --device option (for example --device /dev/fuse::) is passed to podman create or podman run have been improved.
  • Updated Buildah to v1.42.0
  • Updated the containers/image library to v5.38.0
  • Updated the containers/storage library to v1.61.0
  • Updated the containers/common library to v0.66.0
  • The containers/image, containers/storage, and containers/common libraries are now sourced from the containers/container-libs monorepo.

v5.6.2

Compare Source

Bugfixes
  • Fixed a bug where stopping the podman machine start command with SIGPIPE could result in machine state being stuck as "Starting" (#​26949).
  • Fixed a bug where podman build would fail with a permissions error when building Containerfiles using a non-root user and cache mounts (#​27044).
Misc
  • Updated Buildah to v1.41.5

v5.6.1

Compare Source

Security
  • This release addresses CVE-2025-9566, where Kubernetes YAML run by podman play kube containing ConfigMap and Secret volumes can use crafted symlinks to overwrite content on the host.
Bugfixes
  • Fixed a bug where network creation and removal events were displayed incorrectly when the journald events driver was in use.
  • Fixed a bug where the --security-opt seccomp=unconfined option was broken on Windows (#​26855).
  • Fixed a bug where containers created with a name longer than 64 characters, no explicit hostname, the the container_name_as_hostname option in containers.conf set to true would fail to start.
  • Fixed a bug where Podman would fail to start containers when runc 1.3.0 or later was used as the OCI runtime (#​26938).
Misc
  • Adjusted the systemd-tmpfiles script to recursively remove temporary files directories placed in /tmp, ensuring proper operation of Podman after a reboot if /tmp is not a tmpfs.
  • Updated Buildah to v1.41.4
  • Updated the containers/storage to v1.59.1
  • Updated the containers/common library to v0.64.2

v5.6.0

Compare Source

Features
  • A new set of commands for managing Quadlets has been added as podman quadlet install (install a new Quadlet for the current user), podman quadlet list (list installed Quadlets), podman quadlet print (print the contents of a Quadlet file), and podman quadlet rm (remove a Quadlet). These commands are presently not available with the remote Podman client - we expect support for this to arrive in a future release.
  • Quadlet .container units can now specify environment variables without values in the Environment= key, retrieving the value from the host when the container is started (#​26247).
  • Quadlet .pod units now support two new keys, Label= (to set labels on the created pod) and ExitPolicy= (to set exit policy for the created pod) (#​25961 and #​25596).
  • Quadlet .image units now support a new key, Policy=, to set pull policy for the image (e.g. pull always, pull only if newer version available) (#​26446).
  • Quadlet .network units now support a new key, InterfaceName=, to specify the name of the network interface created.
  • The podman machine init command now supports a new option, --swap, enabling swap in the created virtual machine and setting it to a given size (in megabytes) (#​15980).
  • The --mount option to podman create and podman run now supports dest= as a valid alias for destination=.
  • The podman kube play command can now restrict container execution to specific CPU cores and specific memory nodes using the io.podman.annotations.cpuset/$ctrname and io.podman.annotations.memory-nodes/$ctrname annotations (#​26172).
  • The podman kube play command now supports the lifecycle.stopSignal field in Pod YAML, allowing the signal used to stop containers to be specified (#​25389).
  • The podman artifact suite of commands for interacting with OCI artifacts is now available in the remote Podman client and the bindings for the REST API.
  • The podman volume import and podman volume export commands are now available in the remote Podman client (#​26049).
  • The --build-context option to podman build is now supported by the remote Podman client (#​23433).
  • The podman volume create command now accepts two new options, --uid and --gid, to set the UID and GID the volume will be created with.
  • The podman secret create command now has a new option, --ignore, causing the command to succeed even if a secret with the given name already exists.
  • The podman pull command now has a new option, --policy, to configure pull policy.
  • The --mount type=artifact option to podman create, podman run, and podman pod create now allows the filename of the artifact in the container to be set using the name= option (e.g. podman run --mount type=artifact,name=$NAME,...).
  • The --tmpfs option to podman create and podman run now allows a new option, noatime, to be passed (e.g. podman run --tmpfs /run:noatime ...) (#​26102).
  • The podman update command now has a new option, --latest, to update the latest container instead of specifying a specific container (#​26380).
  • A new command, podman buildx inspect, has been added to improve Docker compatibility (#​13014).
Breaking Changes
  • Rosetta support in podman machine VMs has been disabled by default due to issues with newer Linux kernels. These issues have been addressed in the Tahoe beta, and we plan on re-enabling support for Rosetta in a future Podman release once the fix is in wider circulation. You can find more details here.
Changes
  • In preparation for a planned removal of the BoltDB database in Podman 6.0, a warning has been added for installations still using BoltDB. These warnings are presently not visible by default, which will happen in Podman 5.7.
  • The podman artifact suite of commands for interacting with OCI artifacts is now considered stable.
  • For users running podman machine VMs using the libkrun provider on an M3 or newer host running macOS 15+, nested virtualization is enabled by default.
  • When creating podman machine VMs on Windows using the WSL v2 provider, images are now pulled as artifacts from quay.io/podman/machine-os, matching the behavior of other VM providers.
  • Signal forwarding done by the --sig-proxy option to podman run and podman attach is now more robust to races and no longer forwards the SIGSTOP signal.
  • The podman system check --quick command now skips checking layer digests.
  • Podman on Windows using the WSLv2 provider now prefers the WSL executable in C:\Program Files\Windows Subsystem for Linux\wsl.exe over the one in WindowsApps, avoiding common “access denied” issues (#​25787).
  • The --mount type=artifact option to podman create, podman run, and podman pod create now mounts artifacts containing a only a single blob as a file at the given destination path if the path does not exist in the image.
  • The podman volume export command now refuses to export to STDOUT if it is a TTY (#​26506).
  • When generating Quadlet units with options known to be problematic when used with Podman, such as User=, Group=, and DynamicUser= in the [Service] section of a unit, Quadlet will now warn the user of the potential incompatibility (#​26543).
Bugfixes
  • Fixed a bug where the --security-opt unmask= option to podman create and podman run did not allow comma-separated lists of paths to be passed, instead only allowing a single path.
  • Fixed a bug where stopping a Podman container could unintentionally kill non-Podman processes if the PID of an exec session started inside the container was reused for a new process while the container was running (#​25104).
  • Fixed a bug where podman machine init could fail if run in a Podman container (#​25950).
  • Fixed a bug where podman machine VMs would sometimes receive incorrect timezone information.
  • Fixed a bug where podman machine VMs created with a custom username would not have lingering enabled.
  • Fixed a bug where the podman machine init command on Windows when using the WSL 2 provider did not reliably determine if WSL was installed (#​25523).
  • Fixed a bug where the name of Quadlet .pod units that did not specify the PodName= key was set incorrectly (#​26062).
  • Fixed a bug where Quadlet .container units joining a pod specified in a .pod unit would fail as the pod name was set incorrectly when creating the container (#​26105).
  • Fixed a bug where Quadlet would not generate RequiresMountsFor when mounting a .volume unit with Type=bind set into a container (#​26125).
  • Fixed a bug where Quadlet dropin files were not correctly overwritten by new dropin files with the same name further along the hierarchy if the two dropin files did not share a parent directory (#​26555).
  • Fixed a bug where Quadlet would sometimes not print warnings when failing to parse units (#​26542).
  • Fixed a bug where Quadlet .pod files did not include the last Environment= key in the [Service] section in the generated systemd service (#​26521).
  • Fixed a bug where starting a container with already-running dependencies would fail.
  • Fixed a bug where OCI hooks in a directory specified with --hooks-dir would fail to run when containers were restarted (#​17935).
  • Fixed a bug where the --mount option to podman create and podman run required the type= option to be specified, instead of defaulting to volume when it was not present (#​26101).
  • Fixed a bug where the podman kube play command would fail on Windows when specifying an absolute path to YAML files (#​26350).
  • Fixed a bug where the --security-opt seccomp= option to podman create, podman run, and podman pod create could error on Windows when given a path to a Seccomp profile (#​26558).
  • Fixed a bug where the --blkio-weight-device, --device-read-bps, --device-write-bps, --device-read-iops, and --device-write-iops options to podman create and podman run incorrectly accepted non-block devices.
  • Fixed a bug where the podman build command handled the --ignorefile option differently from the buildah bud command (#​25746).
  • Fixed a bug where the podman rm -f command could return an error when trying to remove a running container whose conmon process had been killed (#​26640).
  • Fixed a bug where the podman inspect command did not correctly display log size for containers when log_size_max was set in containers.conf.
API
  • A full set of API endpoints for interacting with artifacts has been added, including inspecting artifacts (GET /libpod/artifacts/{name}/json), listing all artifacts (GET /libpod/artifacts/json), pulling an artifact (POST /libpod/artifacts/pull), removing an artifact (DELETE /libpod/artifacts/{name}), adding an artifact (or appending to an existing artifact) from a tar file in the request body (POST /libpod/artifacts/add), pushing an artifact to a registry (/libpod/artifacts/{name}/push), and retrieving the contents of an artifact (GET /libpod/artifacts/{name}/extract).
  • The Compat Create endpoint for Containers now accepts a new parameter, HostConfig.CgroupnsMode, to specify the cgroup namespace mode of the created container.
  • The Compat Create endpoint for Containers now respects the base_hosts_file option in containers.conf.
  • The Compat System Info endpoint now returns a new field, DefaultAddressPools.
  • The Compat System DF endpoint has removed the deprecated BuilderSize field.
  • The Compat Ping endpoint now sets Builder-Version to 1 to match Docker installs that do not include BuildKit.
  • The Compat List endpoint for Images now returns the shared-size field unconditionally, even if the shared-size query parameter was not set to true. If not requested through query parameter, it is set to -1. This improves Docker API compatibility.
  • The Compat Inspect endpoint for Images now no longer returns the deprecated VirtualSize field when Docker API version 1.44 and up is requested.
  • Fixed a bug where the Compat Delete API for Containers would remove running containers when the FORCE parameter was set to true; Docker only removes stopped containers (#​25871).
  • Fixed a bug where the Compat List and Compat Inspect endpoints for Containers returned container status using Podman statuses instead of converting to Docker-compatible statuses (#​17728).
  • Fixed a bug where healthchecks that exceeded their timeout were not properly terminated; they now receive SIGTERM, then SIGKILL after a delay, if their timeout is exceeded (#​26086).
  • Fixed a bug where application/json responses would be HTML escaped, mutating some responses (e.g. <missing> becoming \u003cmissing\u003e in image history responses) (#​17769).
Misc
  • Quadlet now no longer uses container/pod ID files when stopping containers, but instead passes the name of the container/pod directly to podman stop/podman pod stop.
  • When building Podman via Makefile, it will now attempt to dynamically link sqlite3 if the library and header are installed locally. This and other optimizations should result in a significant reduction in binary size relative to Podman 5.5.x. Packagers can use the libsqlite3 build tag to force this behavior when not using the Makefile to build.
  • Updated Buildah to v1.41.3
  • Updated the containers/common library to v0.64.1
  • Updated the containers/storage library to v1.59.1
  • Updated the containers/image library to v5.36.1

v5.5.2

Compare Source

Security
  • This release addresses CVE-2025-6032, in which the TLS connection used to pull VM images for podman machine was, by default, not validated, allowing connections to servers with invalid certificates by default and potentially allowing a Man in the Middle attack.
Bugfixes
  • Fixed a bug where Podman could panic after a reboot on systems with pods containing containers (#​26469).

v5.5.1

Compare Source

Bugfixes
  • Fixed a bug where containers mounting a volume to / could overmount important directories such as /proc causing start and/or runtime failures due to an issue with mount ordering (#​26161).
  • Fixed a bug where Quadlet .pod units could fail to start due to their storage not being mounted (#​26190).
  • Fixed a bug where containers joined to a network with DNS enabled would not include the host's search domains in their resolv.conf (#​24713).
  • Fixed a bug where the --dns-opt option to podman create, podman run, and podman pod create would append options to the container's resolv.conf, instead of replacing them (#​22399).
  • Fixed a bug where the podman kube play command would add an empty network alias for containers created with no name specified, causing Netavark to emit extraneous warnings.
  • Fixed a bug where the podman system df command would panic when one or more containers were created using a root filesystem (the --rootfs option to podman create and podman run) instead of from an image (#​26224).
  • Fixed a bug where the log_tag field in containers.conf would override the --log-opt tag=value option to podman create and podman run (#​26236).
  • Fixed a bug where the podman volume rm and podman volume inspect commands would incorrectly handle volume names containing the _ character when the SQLite database backend was in use (#​26168).
  • Fixed a bug where the Podman remote client on Windows was unable to mount local folders into containers using overlay mounts (-v source:destination:O) (#​25988).
API
  • Fixed a bug in the Libpod Create API for Containers where rlimits specified with a value of -1 were causing errors, instead of being interpreted as the maximum possible value (#​24886).
  • Fixed a bug in the Compat Create API for Containers where specifying an entrypoint of [] (an empty array) was ignored, instead of setting an empty entrypoint (#​26078).
Misc
  • Updated Buildah to v1.40.1
  • Updated the containers/common library to v0.63.1

v5.5.0

Compare Source

Features
  • A new command has been added, podman machine cp, to copy files into a running podman machine VM.
  • A new command has been added, podman artifact extract, to copy some or all of the contents of an OCI artifact to a location on disk.
  • The --mount option to podman create, podman run, and podman pod create now supports a new mount type, --mount type=artifact, to mount OCI artifacts into containers.
  • The podman artifact add command now features two new options, --append (to add new files to an existing artifact) and --file-type (to specify the MIME type of the file added to the artifact) (#​25884).
  • The podman artifact rm command now features a new option, --all, to remove all artifacts in the local store.
  • The --filter option to podman pause, podman ps, podman restart, podman rm, podman start, podman stop, and podman unpause now accepts a new filter, command, which filters on the first element (argv[0]) of the command run in the container.
  • The podman exec command now supports a new option, --cidfile, to specify the ID of the container to exec into via a file (#​21256).
  • The podman kube generate and podman kube play commands now supports a new annotation, io.podman.annotation.pids-limit/$containername, preserving the PID limit for containers across kube generate and kube play (#​24418).
  • Quadlet .container units now support three new keys, Memory= (set maximum memory for the created container), ReloadCmd (execute a command via systemd ExecReload), and ReloadSignal (kill the container with the given signal via systemd ExecReload) (#​22036).
  • Quadlet .container, .image, and .build units now support two new keys, Retry (number of times to retry pulling image on failure) and RetryDelay (delay between retries) (#​25109)

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@bootc-bot
Copy link
Copy Markdown
Contributor Author

bootc-bot Bot commented Sep 5, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 98 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.6 -> 1.23.3
github.com/containers/common v0.58.1 -> v0.64.2
github.com/containers/gvisor-tap-vsock v0.7.3 -> v0.8.6
github.com/distribution/reference v0.5.0 -> v0.6.0
github.com/gofrs/flock v0.8.1 -> v0.12.1
github.com/onsi/ginkgo/v2 v2.17.1 -> v2.23.4
github.com/onsi/gomega v1.32.0 -> v1.38.0
github.com/spf13/cobra v1.8.0 -> v1.9.1
golang.org/x/crypto v0.28.0 -> v0.40.0
golang.org/x/sys v0.26.0 -> v0.34.0
golang.org/x/term v0.25.0 -> v0.33.0
dario.cat/mergo v1.0.0 -> v1.0.2
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 -> v0.0.0-20250102033503-faa5f7b0171c
github.com/BurntSushi/toml v1.3.2 -> v1.5.0
github.com/Microsoft/go-winio v0.6.1 -> v0.6.2
github.com/Microsoft/hcsshim v0.12.0-rc.3 -> v0.13.0
github.com/cilium/ebpf v0.11.0 -> v0.17.3
github.com/containerd/cgroups/v3 v3.0.3 -> v3.0.5
github.com/containerd/containerd v1.7.13 -> v1.7.23
github.com/containerd/errdefs v0.1.0 -> v1.0.0
github.com/containerd/stargz-snapshotter/estargz v0.15.1 -> v0.16.3
github.com/containerd/typeurl/v2 v2.1.1 -> v2.2.3
github.com/containers/buildah v1.35.3 -> v1.41.4
github.com/containers/image/v5 v5.30.0 -> v5.36.2
github.com/containers/libhvee v0.7.0 -> v0.10.0
github.com/containers/ocicrypt v1.1.9 -> v1.2.1
github.com/containers/storage v1.53.0 -> v1.59.1
github.com/crc-org/crc/v2 v2.32.0 -> v2.48.0
github.com/crc-org/vfkit v0.5.1 -> v0.6.1
github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f -> v0.0.0-20241213102144-19d51d7fe467
github.com/cyphar/filepath-securejoin v0.2.4 -> v0.4.1
github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e -> v0.0.0-20250212194115-ee9b0668d242
github.com/docker/docker v25.0.3+incompatible -> v28.3.3+incompatible
github.com/docker/docker-credential-helpers v0.8.1 -> v0.9.3
github.com/fsnotify/fsnotify v1.7.0 -> v1.9.0
github.com/fsouza/go-dockerclient v1.10.1 -> v1.12.1
github.com/go-logr/logr v1.4.1 -> v1.4.3
github.com/go-openapi/analysis v0.21.4 -> v0.23.0
github.com/go-openapi/errors v0.21.1 -> v0.22.0
github.com/go-openapi/jsonpointer v0.19.6 -> v0.21.0
github.com/go-openapi/jsonreference v0.20.2 -> v0.21.0
github.com/go-openapi/loads v0.21.2 -> v0.22.0
github.com/go-openapi/runtime v0.26.0 -> v0.28.0
github.com/go-openapi/spec v0.20.9 -> v0.21.0
github.com/go-openapi/strfmt v0.22.2 -> v0.23.0
github.com/go-openapi/swag v0.22.10 -> v0.23.0
github.com/go-openapi/validate v0.22.1 -> v0.24.0
github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 -> v5.1.1-0.20241109141217-c266b19b28e9
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da -> v0.0.0-20241129210726-2c02b8208cf8
github.com/golang/protobuf v1.5.3 -> v1.5.4
github.com/google/go-cmp v0.6.0 -> v0.7.0
github.com/google/go-containerregistry v0.19.0 -> v0.20.3
github.com/google/pprof v0.0.0-20230323073829-e72429f035bd -> v0.0.0-20250403155104-27863c87afa6
github.com/gorilla/schema v1.2.1 -> v1.4.1
github.com/klauspost/compress v1.17.7 -> v1.18.0
github.com/klauspost/cpuid/v2 v2.2.8 -> v2.2.10
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e -> v0.0.0-20240620165639-de9c06129bec
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 -> v0.0.0-20240909124753-873cd0166683
github.com/mattn/go-colorable v0.1.13 -> v0.1.14
github.com/mattn/go-runewidth v0.0.15 -> v0.0.16
github.com/mattn/go-sqlite3 v1.14.22 -> v1.14.28
github.com/moby/buildkit v0.12.5 -> v0.23.2
github.com/moby/sys/mountinfo v0.7.1 -> v0.7.2
github.com/moby/sys/sequential v0.5.0 -> v0.6.0
github.com/moby/sys/user v0.1.0 -> v0.4.0
github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
github.com/opencontainers/runc v1.1.12 -> v1.3.0
github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc -> v0.9.1-0.20250523060157-0ea5ed0382a2
github.com/opencontainers/selinux v1.11.0 -> v1.12.0
github.com/openshift/imagebuilder v1.2.6 -> v1.2.16
github.com/pkg/sftp v1.13.6 -> v1.13.9
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c -> v0.0.0-20240221224432-82ca36839d55
github.com/proglottis/gpgme v0.1.3 -> v0.1.4
github.com/secure-systems-lab/go-securesystemslib v0.8.0 -> v0.9.0
github.com/sigstore/fulcio v1.4.3 -> v1.6.6
github.com/sigstore/rekor v1.2.2 -> v1.3.6
github.com/sigstore/sigstore v1.8.2 -> v1.9.5
github.com/tchap/go-patricia/v2 v2.3.1 -> v2.3.3
github.com/tklauser/go-sysconf v0.3.12 -> v0.3.14
github.com/tklauser/numcpus v0.6.1 -> v0.9.0
github.com/ulikunitz/xz v0.5.11 -> v0.5.15
github.com/vbatts/tar-split v0.11.5 -> v0.12.1
github.com/vbauerster/mpb/v8 v8.7.2 -> v8.10.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 -> v0.60.0
go.opentelemetry.io/otel v1.22.0 -> v1.35.0
go.opentelemetry.io/otel/metric v1.22.0 -> v1.35.0
golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 -> v0.0.0-20250408133849-7e4ce0ab07d0
golang.org/x/mod v0.17.0 -> v0.25.0
golang.org/x/net v0.30.0 -> v0.42.0
golang.org/x/sync v0.8.0 -> v0.16.0
golang.org/x/text v0.19.0 -> v0.27.0
golang.org/x/time v0.3.0 -> v0.11.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d -> v0.34.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 -> v0.0.0-20250313205543-e70fdf4c4cb4
google.golang.org/grpc v1.61.0 -> v1.72.2
google.golang.org/protobuf v1.35.1 -> v1.36.6
sigs.k8s.io/yaml v1.4.0 -> v1.5.0
tags.cncf.io/container-device-interface v0.6.2 -> v1.0.1

@bootc-bot
Copy link
Copy Markdown
Contributor Author

bootc-bot Bot commented Sep 5, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@cgwalters
Copy link
Copy Markdown
Collaborator

cgwalters commented Sep 5, 2025

Yeah none of these CVEs apply to us either...

This whole thing is very much reinforcing my desire to use Rust for this project...

@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch 2 times, most recently from 8820ad6 to 07ca1ef Compare September 9, 2025 13:19
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from 07ca1ef to c30b8ad Compare September 24, 2025 16:12
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch 2 times, most recently from cd37335 to 1c33b43 Compare October 13, 2025 22:09
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from 1c33b43 to 019d861 Compare October 24, 2025 18:13
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from 019d861 to 55bbc20 Compare November 5, 2025 20:12
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from 55bbc20 to 4db4c20 Compare December 2, 2025 16:14
@bootc-bot
Copy link
Copy Markdown
Contributor Author

bootc-bot Bot commented Dec 18, 2025
edited
Loading

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 103 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.6 -> 1.24.2
github.com/containers/common v0.58.1 -> v0.62.2
github.com/containers/gvisor-tap-vsock v0.7.3 -> v0.8.8
github.com/distribution/reference v0.5.0 -> v0.6.0
github.com/gofrs/flock v0.8.1 -> v0.12.1
github.com/onsi/ginkgo/v2 v2.17.1 -> v2.28.0
github.com/onsi/gomega v1.32.0 -> v1.39.1
github.com/sirupsen/logrus v1.9.3 -> v1.9.4
github.com/spf13/cobra v1.8.0 -> v1.10.1
golang.org/x/crypto v0.28.0 -> v0.47.0
golang.org/x/sys v0.26.0 -> v0.40.0
golang.org/x/term v0.25.0 -> v0.39.0
dario.cat/mergo v1.0.0 -> v1.0.2
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 -> v0.0.0-20250102033503-faa5f7b0171c
github.com/BurntSushi/toml v1.3.2 -> v1.5.0
github.com/Microsoft/go-winio v0.6.1 -> v0.6.2
github.com/Microsoft/hcsshim v0.12.0-rc.3 -> v0.13.0
github.com/cilium/ebpf v0.11.0 -> v0.17.3
github.com/containerd/cgroups/v3 v3.0.3 -> v3.0.5
github.com/containerd/containerd v1.7.13 -> v1.7.23
github.com/containerd/errdefs v0.1.0 -> v1.0.0
github.com/containerd/stargz-snapshotter/estargz v0.15.1 -> v0.17.0
github.com/containerd/typeurl/v2 v2.1.1 -> v2.2.3
github.com/containers/buildah v1.35.3 -> v1.43.1
github.com/containers/image/v5 v5.30.0 -> v5.34.2
github.com/containers/libhvee v0.7.0 -> v0.10.1-0.20250829163521-178d10e67860
github.com/containers/ocicrypt v1.1.9 -> v1.2.1
github.com/containers/psgo v1.9.0 -> v1.9.1-0.20250826150930-4ae76f200c86
github.com/containers/storage v1.53.0 -> v1.57.2
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 -> v22.6.0
github.com/crc-org/crc/v2 v2.32.0 -> v2.48.0
github.com/crc-org/vfkit v0.5.1 -> v0.6.1
github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f -> v0.0.0-20241213102144-19d51d7fe467
github.com/cyphar/filepath-securejoin v0.2.4 -> v0.5.2
github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e -> v0.0.0-20250212194115-ee9b0668d242
github.com/docker/docker v25.0.3+incompatible -> v28.5.1+incompatible
github.com/docker/docker-credential-helpers v0.8.1 -> v0.9.4
github.com/docker/go-connections v0.5.0 -> v0.6.0
github.com/fsnotify/fsnotify v1.7.0 -> v1.9.0
github.com/fsouza/go-dockerclient v1.10.1 -> v1.12.2
github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
github.com/go-logr/logr v1.4.1 -> v1.4.3
github.com/go-openapi/analysis v0.21.4 -> v0.23.0
github.com/go-openapi/errors v0.21.1 -> v0.22.0
github.com/go-openapi/jsonpointer v0.19.6 -> v0.21.0
github.com/go-openapi/jsonreference v0.20.2 -> v0.21.0
github.com/go-openapi/loads v0.21.2 -> v0.22.0
github.com/go-openapi/runtime v0.26.0 -> v0.28.0
github.com/go-openapi/spec v0.20.9 -> v0.21.0
github.com/go-openapi/strfmt v0.22.2 -> v0.23.0
github.com/go-openapi/swag v0.22.10 -> v0.23.0
github.com/go-openapi/validate v0.22.1 -> v0.24.0
github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 -> v5.1.1-0.20241109141217-c266b19b28e9
github.com/golang/protobuf v1.5.3 -> v1.5.4
github.com/google/go-cmp v0.6.0 -> v0.7.0
github.com/google/go-containerregistry v0.19.0 -> v0.20.6
github.com/google/pprof v0.0.0-20230323073829-e72429f035bd -> v0.0.0-20260115054156-294ebfa9ad83
github.com/gorilla/schema v1.2.1 -> v1.4.1
github.com/klauspost/compress v1.17.7 -> v1.18.0
github.com/klauspost/cpuid/v2 v2.2.8 -> v2.2.10
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e -> v0.0.0-20240620165639-de9c06129bec
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 -> v0.0.0-20240909124753-873cd0166683
github.com/mattn/go-colorable v0.1.13 -> v0.1.14
github.com/mattn/go-runewidth v0.0.15 -> v0.0.16
github.com/mattn/go-sqlite3 v1.14.22 -> v1.14.32
github.com/mistifyio/go-zfs/v3 v3.0.1 -> v3.1.0
github.com/moby/buildkit v0.12.5 -> v0.25.1
github.com/moby/sys/mountinfo v0.7.1 -> v0.7.2
github.com/moby/sys/sequential v0.5.0 -> v0.6.0
github.com/moby/sys/user v0.1.0 -> v0.4.0
github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
github.com/opencontainers/runc v1.1.12 -> v1.3.4
github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc -> v0.9.1-0.20250523060157-0ea5ed0382a2
github.com/opencontainers/selinux v1.11.0 -> v1.13.1
github.com/openshift/imagebuilder v1.2.6 -> v1.2.19
github.com/pkg/sftp v1.13.6 -> v1.13.9
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c -> v0.0.0-20240221224432-82ca36839d55
github.com/proglottis/gpgme v0.1.3 -> v0.1.5
github.com/secure-systems-lab/go-securesystemslib v0.8.0 -> v0.9.1
github.com/sigstore/fulcio v1.4.3 -> v1.7.1
github.com/sigstore/rekor v1.2.2 -> v1.3.8
github.com/sigstore/sigstore v1.8.2 -> v1.9.5
github.com/tchap/go-patricia/v2 v2.3.1 -> v2.3.3
github.com/tklauser/go-sysconf v0.3.12 -> v0.3.15
github.com/tklauser/numcpus v0.6.1 -> v0.10.0
github.com/ulikunitz/xz v0.5.11 -> v0.5.15
github.com/vbatts/tar-split v0.11.5 -> v0.12.1
github.com/vbauerster/mpb/v8 v8.7.2 -> v8.10.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 -> v0.61.0
go.opentelemetry.io/otel v1.22.0 -> v1.36.0
go.opentelemetry.io/otel/metric v1.22.0 -> v1.36.0
golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 -> v0.0.0-20250408133849-7e4ce0ab07d0
golang.org/x/mod v0.17.0 -> v0.32.0
golang.org/x/net v0.30.0 -> v0.49.0
golang.org/x/sync v0.8.0 -> v0.19.0
golang.org/x/text v0.19.0 -> v0.33.0
golang.org/x/time v0.3.0 -> v0.11.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d -> v0.41.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 -> v0.0.0-20250414145226-207652e42e2e
google.golang.org/grpc v1.61.0 -> v1.72.2
google.golang.org/protobuf v1.35.1 -> v1.36.9
sigs.k8s.io/yaml v1.4.0 -> v1.6.0
tags.cncf.io/container-device-interface v0.6.2 -> v1.0.1

@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from 4db4c20 to d48b80b Compare January 15, 2026 19:15
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch 2 times, most recently from 1621dcd to 6429160 Compare February 10, 2026 19:32
@bootc-bot bootc-bot Bot changed the title Update module github.com/containers/podman/v5 to v5.6.1 [SECURITY] fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] Mar 19, 2026
@bootc-bot bootc-bot Bot changed the title fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] - autoclosed Mar 27, 2026
@bootc-bot bootc-bot Bot closed this Mar 27, 2026
@bootc-bot bootc-bot Bot deleted the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch March 27, 2026 00:49
@bootc-bot bootc-bot Bot changed the title fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] - autoclosed fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] Mar 30, 2026
@bootc-bot bootc-bot Bot reopened this Mar 30, 2026
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch 2 times, most recently from 6429160 to ad15d54 Compare March 30, 2026 18:30
@bootc-bot bootc-bot Bot changed the title fix(deps): update module github.com/containers/podman/v5 to v5.6.1 [security] Update module github.com/containers/podman/v5 to v5.6.1 [SECURITY] Apr 2, 2026
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch from ad15d54 to d2e50c5 Compare April 14, 2026 23:24
@bootc-bot bootc-bot Bot changed the title Update module github.com/containers/podman/v5 to v5.6.1 [SECURITY] Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY] Apr 14, 2026
@bootc-bot bootc-bot Bot changed the title Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY] Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY] - autoclosed Apr 27, 2026
@bootc-bot bootc-bot Bot closed this Apr 27, 2026
@bootc-bot
Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY]
1e08422 
Signed-off-by: bootc-bot[bot] <225049296+bootc-bot[bot]@users.noreply.github.com>
@bootc-bot bootc-bot Bot changed the title Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY] - autoclosed Update module github.com/containers/podman/v5 to v5.8.2 [SECURITY] Apr 27, 2026
@bootc-bot bootc-bot Bot reopened this Apr 27, 2026
@bootc-bot bootc-bot Bot force-pushed the bootc-renovate/go-github.com-containers-podman-v5-vulnerability branch 2 times, most recently from d2e50c5 to 1e08422 Compare April 27, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cgwalters