Skip to content

Bump containerd to v1.7.33 (fix Dependabot alerts)#432

Merged
tamalsaha merged 2 commits into
masterfrom
fix-dependabot-containerd
Jun 28, 2026
Merged

Bump containerd to v1.7.33 (fix Dependabot alerts)#432
tamalsaha merged 2 commits into
masterfrom
fix-dependabot-containerd

Conversation

@tamalsaha

Copy link
Copy Markdown
Contributor

Bumps github.com/containerd/containerd (indirect dep via helm.sh/helm/v3kubepack.dev/lib-helm) from v1.7.32 to v1.7.33.

Resolves both open Dependabot alerts:

# Severity GHSA Issue
79 high GHSA-xhf5-7wjv-pqxp host-root command execution from an image pull (image-config LABEL → restart-monitor binary:// logger)
78 medium GHSA-jpcc-p29g-p8mq image-triggered runtime DoS via unbounded group parsing

Both are patched in v1.7.33.

Changes

  • go get github.com/containerd/containerd@v1.7.33, then go mod tidy + go mod vendor
  • Vendor updates landed in the affected files (labels/labels.go, labels/validate.go)

Verification

  • go build ./... passes

Signed-off-by: Tamal Saha <tamal@appscode.com>
Fixes Dependabot alerts:
- GHSA-xhf5-7wjv-pqxp (high): host-root command execution from an image
  pull via image-config LABEL flowing to restart-monitor binary:// logger
- GHSA-jpcc-p29g-p8mq (medium): image-triggered runtime DoS via unbounded
  group parsing

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit a4499f4 into master Jun 28, 2026
4 checks passed
@tamalsaha tamalsaha deleted the fix-dependabot-containerd branch June 28, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant