chore(deps): update containerd (8.19) by elastic-renovate-prod[bot] · Pull Request #6013 · elastic/cloudbeat

elastic-renovate-prod · 2026-05-07T11:12:38Z

This PR contains the following updates:

Package	Type	Update	Change
github.com/containerd/containerd	indirect	patch	`v1.7.27` -> `v1.7.31`
github.com/containerd/containerd/api	indirect	minor	`v1.10.0` -> `v1.11.0`
github.com/containerd/containerd/v2	indirect	minor	`v2.2.3` -> `v2.3.0`
github.com/containerd/continuity	indirect	minor	`v0.4.5` -> `v0.5.0`
github.com/containerd/platforms	indirect	patch	`v1.0.0-rc.2` -> `v1.0.0-rc.4`
github.com/containerd/plugin	indirect	minor	`v1.0.0` -> `v1.1.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

containerd/containerd (github.com/containerd/containerd)

`v1.7.31`: containerd 1.7.31

Compare Source

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

Security Updates

spdystream
- CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

Fix CNI issue where DEL is never executed after a restart (#12931)
Sanitize error before gRPC return to prevent possible credential leak in pod events (#12805)
Improve error message and add warning when concurrent container creation is detected (#12744)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

Samuel Karp
Maksym Pavlenko
Akhil Mohan
Phil Estes
Sebastiaan van Stijn
Wei Fu
Akihiro Suda
Alex Chernyakhovsky
Chris Henzie
Michael Zappa
Ricardo Branco
Shachar Tal
ningmingxiao
yashsingh74

Changes

37 commits

Prepare release notes for v1.7.31 (#13221)
- 7d2662653 Prepare release notes for v1.7.31
update github.com/moby/spdystream v0.5.1 (#13220)
- 3f795c02a update github.com/moby/spdystream v0.5.1
update to Go 1.25.9, 1.26.2 (#13200)
- 7b1e1b17b update to Go 1.25.9, 1.26.2
- b673f2d42 update golangci-lint to v2.9.0 with go1.26 support
- d88d8513a remove windows/arm from cross build
- a763407b5 Ignore warnings for golangci-lint bump
- 03dcd8360 ci: bump golangci from 6.5.2 to 7.0.0
Update github.com/moby/spdystream v0.2.0->v0.5.0 (#13176)
- c08711218 Update github.com/moby/spdystream v0.2.0->v0.5.0
Skip TestExportAndImportMultiLayer on s390x (#13152)
- 043548f6d Skip TestExportAndImportMultiLayer on s390x
update runc binary to v1.3.5 (#13059)
- e99bd6050 [release/1.7] update runc binary to v1.3.5
CODEOWNERS: mark Sam and Chris as owners for 1.7 (#13069)
- 3a3103aaf CODEOWNERS: mark Sam and Chris as owners for 1.7
Fix vagrant on CI (#13064)
- 9b4cfa271 Ignore NOCHANGE error
ci: modprobe xt_comment on almalinux (#12959)
- 53e9e73f0 ci: modprobe xt_comment on almalinux
Fix TOCTOU race bug in tar extraction (#12970)
- 61c2733fd Fix TOCTOU race bug in tar extraction
Fix CNI issue where CNI DEL is never executed (#12931)
- f854c1890 fix issue where cni del is never executed
apparmor: explicitly set abi/3.0 (#12899)
- 5c091d92e apparmor: explicitly set abi/3.0
backport: integration: Fix TestImageLoad() failure on CI (#12908)
- 177ac10fe integration: Fix TestImageLoad() failure on CI
update to go1.24.13, go1.25.7 (#12873)
- 56da43d0f update to go1.24.13, go1.25.7
- 5cb3cb9ba ci: bump go 1.24.12, 1.25.6
fix: sanitize error before gRPC return to prevent credential leak in pod events (#12805)
- b1fa03843 fix: sanitize error before gRPC return to prevent credential leak in pod events
cri: emit warning for concurrent CreateContainer (#12744)
- e2c93a42c cri: emit warning for concurrent CreateContainer

Dependency Changes

github.com/moby/spdystream v0.2.0 -> v0.5.1

Previous release can be found at v1.7.30

`v1.7.30`: containerd 1.7.30

Compare Source

Welcome to the v1.7.30 release of containerd!

The thirtieth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Container Runtime Interface (CRI)

Fix NRI dropping requested CDI devices silently (#12650)
Redact all query parameters in CRI error logs (#12551)

Runtime

Update runc binary to v1.3.4 (#12619)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

Derek McGowan
Akihiro Suda
Austin Vazquez
Mike Brown
Wei Fu
Andrey Noskov
CrazyMax
Davanum Srinivas
Jin Dong
Krisztian Litkey
Maksym Pavlenko
Paweł Gronowski
Phil Estes
Samuel Karp

Changes

26 commits

Prepare release notes for v1.7.30 (#12652)
- 3d0ca6d2e Prepare release notes for v1.7.30
Fix NRI dropping requested CDI devices silently (#12650)
- 0bc74f47e cri,nri: don't drop requested CDI devices silently.
script/setup/install-cni: install CNI plugins v1.9.0 (#12660)
- 7db16b562 script/setup/install-cni: install CNI plugins v1.9.0
go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) (#12640)
- bca897b47 go.mod: golang.org/x/crypto v0.45.0
- 37cbd2224 CI: drop Go 1.23
- ee49d1747 Update Go requirements in BUILDING
ci: bump Go 1.24.11, 1.25.5 (#12627)
- 145978224 ci: bump Go 1.24.11, 1.25.5
- 3dbadfaa1 ci: bump Go 1.24.10, 1.25.4
- 2bac971f0 ci(release): set GO_VERSION in Dockerfile
Update runc binary to v1.3.4 (#12619)
- 34b89a574 runc: Update runc binary to v1.3.4
ci: update CIFuzz actions to support Ubuntu 24.04 (#12635)
- 6e0dd8956 ci: update CIFuzz actions to support Ubuntu 24.04
build(deps): bump github.com/opencontainers/selinux (#12591)
- 3eea2a4af build(deps): bump github.com/opencontainers/selinux
remove sha256-simd (#12576)
- 1194f5128 remove sha256-simd
.github: skip 5 critest cases for window-2022 (#12586)
- ce2d3a67f .github: skip 5 critest cases in window CI pipeline
Redact all query parameters in CRI error logs (#12551)
- 65271ea89 fix: redact all query parameters in CRI error logs

Dependency Changes

github.com/cyphar/filepath-securejoin v0.5.1 new
github.com/opencontainers/selinux v1.11.0 -> v1.13.1
golang.org/x/crypto v0.40.0 -> v0.45.0
golang.org/x/mod v0.26.0 -> v0.29.0
golang.org/x/net v0.42.0 -> v0.47.0
golang.org/x/sync v0.16.0 -> v0.18.0
golang.org/x/sys v0.34.0 -> v0.38.0
golang.org/x/term v0.33.0 -> v0.37.0
golang.org/x/text v0.27.0 -> v0.31.0

Previous release can be found at v1.7.29

`v1.7.29`: containerd 1.7.29

Compare Source

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes
and updates including security patches.

Security Updates

containerd
- GHSA-pwhc-rpq9-4c8w
- GHSA-m6hq-p25p-ffr2
runc

Highlights

Image Distribution

Update differ to handle zstd media types (#12018)

Runtime

Update runc binary to v1.3.3 (#12480)
Fix lost container logs from quickly closing io (#12375)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

Derek McGowan
Akihiro Suda
Phil Estes
Austin Vazquez
Sebastiaan van Stijn
ningmingxiao
Maksym Pavlenko
StepSecurity Bot
wheat2018

Changes

38 commits

442cb34bd Merge commit from fork
0450f046e Fix directory permissions
e5cb6ddb7 Merge commit from fork
c575d1b5f fix goroutine leak of container Attach
Prepare release notes for v1.7.29 (#12486)
- 1fc2daaf3 Prepare release notes for v1.7.29
Update runc binary to v1.3.3 (#12480)
- 3f5f9f872 runc: Update runc binary to v1.3.3
Update GHA images and bump Go 1.24.9; 1.25.3 (#12471)
- 667409fb6 ci: bump Go 1.24.9, 1.25.3
- 294f8c027 Update GHA runners to use latest images for basic binaries build
- cf66b4141 Update GHA runners to use latest image for most jobs
- fa3e6fa18 pkg/epoch: extract parsing SOURCE_DATE_EPOCH to a function
- ac334bffc pkg/epoch: fix tests on macOS
- d04b8721f pkg/epoch: replace some fmt.Sprintfs with strconv
CI: update Fedora to 43 (#12450)
- 5cfedbf52 CI: update Fedora to 43
CI: skip ubuntu-24.04-arm on private repos (#12429)
- cf99a012d CI: skip ubuntu-24.04-arm on private repos
runc:Update runc binary to v1.3.1 (#12276)
- 4c77b8d07 runc:Update runc binary to v1.3.1
Fix lost container logs from quickly closing io (#12375)
- d30024db2 bugfix:fix container logs lost because io close too quickly
ci: bump Go 1.24.8 (#12362)
- f4b3d96f3 ci: bump Go 1.24.8
- 334fd8e4b update golangci-lint to v1.64.2
- 8a67abc4c Drop inactivated linter exportloopref
- e4dbf08f0 build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
- d7db2ba06 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
- d7182888f build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
- 4be6c7e3b build(deps): bump actions/cache from 4.1.2 to 4.2.0
- a2e097e86 build(deps): bump actions/checkout from 4.2.1 to 4.2.2
- 6de404d11 build(deps): bump actions/cache from 4.1.1 to 4.1.2
- 038a25584 [StepSecurity] ci: Harden GitHub Actions
Update differ to handle zstd media types (#12018)
- eaeb4b6ac Update differ to handle zstd media types
ci: bump Go 1.23.12, 1.24.6 (#12188)
- 83c535339 ci: bump Go 1.23.12, 1.24.6

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.28

`v1.7.28`: containerd 1.7.28

Compare Source

Welcome to the v1.7.28 release of containerd!

The twenty-eighth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Image Distribution

Refresh OAuth tokens when they expire during registry operations (#11721)
Set default differ for the default unpack config of transfer service (#11689)

Runtime

Update runc binary to v1.3.0 (#11800)
Remove invalid error log when stopping container after containerd restart (#11620)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

Akhil Mohan
Akihiro Suda
Austin Vazquez
Maksym Pavlenko
Phil Estes
Derek McGowan
Kirtana Ashok
Henry Wang
Iain Macdonald
Jin Dong
Swagat Bora
Wei Fu
Yang Yang
madraceee

Changes

57 commits

Prepare release notes for v1.7.28 (#12134)
- b01b809f8 Prepare release notes for v1.7.28
ci: bump Go 1.23.11, 1.24.5 (#12117)
- ce2373176 ci: bump Go 1.23.11, 1.24.5
Backport windows test fixes (#12121)
- 3c06bcc4d Fix intermittent test failures on Windows CIs
- c6c0c6854 Remove WS2025 from CIs due to regression
ci: use fedora 39 archive (#12123)
- 6d7e021cf ci: use fedora/39-cloud-base image from archive
update runners to ubuntu 24.04 (#11802)
- c362e18cc CI: install OVMF for Vagrant
- 1d99bec21 CI: fix "Unable to find a source package for vagrant" error
- dafa3c48d add debian sources for ubuntu-24
- b03301d85 partial: enable ubuntu 24 runners
- 13fbc5f97 update release runners to ubuntu 24.04
go.mod: golang.org/x/* latest (#12096)
- da5d1a371 go.mod: golang.org/x/* latest
Remove additional fuzzers from instrumentation repo (#12099)
- 5fef123ba Remove additional fuzzers from CI
backport windows runner and golang toolchain updates (#11972)
- a35978f5a ci: bump golang [1.23.10, 1.24.4] in build and release
- df035aa3e ci: bump golang [1.23.9, 1.24.3] in build and release
- 2a6d9fc71 use go1.23.8 as the default go version
- 15d4d6eba update to go 1.24.2, 1.23.8
- 1613a3b1a Enable CIs to run on WS2022 and WS2025
test: added runc v1 tests using vagrant (#11896)
- 60e73122c test: added runc v1 tests using vagrant
Revert "disable portmap test in ubuntu-22 to make CI happy" (#11803)
- 10e1b515e Revert "Disable port mapping tests in CRI-in-UserNS"
- 7a680e884 fix unbound SKIP_TEST variable error
- e5f8cc995 Revert "disable portmap test in ubuntu-22 to make CI happy"
Update runc binary to v1.3.0 (#11800)
- b001469c7 Update runc binary to v1.3.0
Refresh OAuth tokens when they expire during registry operations (#11721)
- a6421da84 remotes/docker/authorizer.go: invalidate auth tokens when they expire.
[CI] Fix vagrant (#11739)
- effc49e8b Fix vagrant setup
Fix CI (#11722)
- d3e7dd716 Skip criu on Arms
- 7cf9ebe94 Disable port mapping tests in CRI-in-UserNS
- 42657a4ed disable portmap test in ubuntu-22 to make CI happy
- b300fd37b add option to skip tests in critest
- 6f4ffad27 Address cgroup mountpoint does not exist
- cef298331 Update Ubuntu to 24
- 2dd9be16e ci: update GitHub Actions release runner to ubuntu-24.04
Set default differ for the default unpack config of transfer service (#11689)
- e40e59e4e Set default differ for the default unpack config of transfer service
silence govulncheck false positives (#11679)
- ff097d5a4 silence govulncheck false positives
vendor: github.com/go-jose/go-jose/v3 v3.0.4 (#11619)
- 52dd4dc51 vendor: github.com/go-jose/go-jose/v3 v3.0.4
Remove invalid error log when stopping container after containerd restart (#11620)
- 24f41d2d5 use shimCtx for fifo copy
Update runc binary to v1.2.6 (#11584)
- 1e1e78ad7 Update runc binary to v1.2.6
Use RWMutex in NSMap and reduce lock area (#11556)
- 9a8d1d44a Use RWMutex in NSMap and reduce lock area

Dependency Changes

github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
golang.org/x/crypto v0.31.0 -> v0.40.0
golang.org/x/mod v0.17.0 -> v0.26.0
golang.org/x/net v0.33.0 -> v0.42.0
golang.org/x/oauth2 v0.11.0 -> v0.30.0
golang.org/x/sync v0.10.0 -> v0.16.0
golang.org/x/sys v0.28.0 -> v0.34.0
golang.org/x/term v0.27.0 -> v0.33.0
golang.org/x/text v0.21.0 -> v0.27.0
golang.org/x/time 90d013b -> v0.12.0

Previous release can be found at v1.7.27

containerd/continuity (github.com/containerd/continuity)

containerd/platforms (github.com/containerd/platforms)

`v1.0.0-rc.4`

Compare Source

What's Changed

refactor, optimize FormatAll, ParseAll by @thaJeztah in https://github.com/containerd/platforms/pull/30
Strip the win32k when comparing windows platforms by @dmcgowan in https://github.com/containerd/platforms/pull/31
Add OnlyOS function allow matching any architecture by @dmcgowan in https://github.com/containerd/platforms/pull/33

Full Changelog: containerd/platforms@v1.0.0-rc.3...v1.0.0-rc.4

`v1.0.0-rc.3`

Compare Source

What's Changed

Update GitHub actions by @dmcgowan in https://github.com/containerd/platforms/pull/27
Add support for OS Features in the format by @dmcgowan in https://github.com/containerd/platforms/pull/16
Match and Compare platforms with OSFeatures by @dmcgowan in https://github.com/containerd/platforms/pull/20
Add encoding to os version and features by @dmcgowan in https://github.com/containerd/platforms/pull/28

Full Changelog: containerd/platforms@v1.0.0-rc.2...v1.0.0-rc.3

containerd/plugin (github.com/containerd/plugin)

`v1.1.0`

Compare Source

What's Changed

Update github actions by @dmcgowan in https://github.com/containerd/plugin/pull/9
Bump actions/checkout from 4 to 6 by @dependabot[bot] inhttps://github.com/containerd/plugin/pull/111
Bump actions/setup-go from 5 to 6 by @dependabot[bot] inhttps://github.com/containerd/plugin/pull/122
Add benchmark and optimize performance of common functions by @dmcgowan in https://github.com/containerd/plugin/pull/8
Bump golangci lint version and minimum go version by @dmcgowan in https://github.com/containerd/plugin/pull/14
Update GHA runner versions by @dmcgowan in https://github.com/containerd/plugin/pull/15
Update graph logic and add further tests by @dmcgowan in https://github.com/containerd/plugin/pull/13
ci: bump golangci-lint to v2.7.2 by @austinvazquez in https://github.com/containerd/plugin/pull/17
ci: use Go stable by @austinvazquez in https://github.com/containerd/plugin/pull/16

Full Changelog: containerd/plugin@v1.0.0...v1.1.0

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

elastic-renovate-prod · 2026-05-07T11:12:42Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9
go: downloading k8s.io/streaming v0.36.0
go: github.com/elastic/cloudbeat/internal/vulnerability imports
	github.com/aquasecurity/trivy/pkg/commands/artifact imports
	github.com/aquasecurity/trivy/pkg/misconf imports
	github.com/aquasecurity/trivy/pkg/iac/scanners/helm imports
	github.com/aquasecurity/trivy/pkg/iac/scanners/helm/parser imports
	helm.sh/helm/v3/pkg/action imports
	helm.sh/helm/v3/pkg/kube imports
	k8s.io/kubectl/pkg/cmd/util imports
	k8s.io/kubectl/pkg/scheme imports
	k8s.io/api/scheduling/v1alpha1: cannot find module providing package k8s.io/api/scheduling/v1alpha1
go: warning: github.com/dgraph-io/ristretto@v1.0.1: retracted by module author: need to retract the next release as well
go: to switch to the latest unretracted version, run:
	go get github.com/dgraph-io/ristretto@latest

mergify · 2026-05-08T15:15:46Z

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b renovate/8.19-containerd upstream/renovate/8.19-containerd
git merge upstream/8.19
git push upstream renovate/8.19-containerd

elastic-renovate-prod Bot requested a review from a team as a code owner May 7, 2026 11:12

elastic-renovate-prod Bot added backport-skip dependencies Pull requests that update a dependency file renovate renovate-auto-approve Team:Security-Cloud Services Security Data Experience - Cloud Services team. labels May 7, 2026

elastic-renovate-prod Bot enabled auto-merge May 7, 2026 11:12

github-actions Bot approved these changes May 7, 2026

View reviewed changes

elastic-renovate-prod Bot force-pushed the renovate/8.19-containerd branch from 9daeffa to 775347a Compare May 7, 2026 18:54

github-actions Bot approved these changes May 7, 2026

View reviewed changes

elastic-renovate-prod Bot force-pushed the renovate/8.19-containerd branch from 775347a to bfaaf28 Compare May 8, 2026 01:03