Skip to content

chore(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2#11

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/containerd/containerd/v2-2.3.2
Open

chore(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2#11
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/containerd/containerd/v2-2.3.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2.

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.3.2

Welcome to the v2.3.2 release of containerd!

The second patch release for containerd 2.3 contains various fixes and updates including security patches.

Security Updates

Highlights

  • Fix a data race when reading shim logs on Windows (#13522)

Image Distribution

  • Allow the last host to retry on transient network errors (#13591)

Runtime

  • Fix container startup failures caused by concurrent task RPC timeouts during slow container creation (#13512)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

  • Samuel Karp
  • Chris Henzie
  • Akihiro Suda
  • Derek McGowan
  • Akhil Mohan
  • Austin Vazquez
  • Ben Cressey
  • Brian Goff
  • Maksym Pavlenko
  • Sebastiaan van Stijn
  • Sergey Kanzhelev

Changes

  • Prepare release notes for v2.3.2 (#13627)

... (truncated)

Commits
  • fff62f1 Merge pull request #13627 from samuelkarp/prepare-v2.3.2
  • fb8ca00 Prepare release notes for v2.3.2
  • 9c69960 Merge commit from fork
  • b54e3ec Merge pull request #13608 from thaJeztah/2.3_bump_crypto
  • 0d1dbb8 Merge pull request #13591 from k8s-infra-cherrypick-robot/cherry-pick-13323-t...
  • 0b94695 [release/2.3] vendor: golang.org/x/crypto v0.53.0
  • b38dbd1 Merge pull request #13601 from k8s-infra-cherrypick-robot/cherry-pick-13590-t...
  • 0f62515 Merge commit from fork
  • 7c2e086 Merge commit from fork
  • 94aa1e2 Merge commit from fork
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 23, 2026
@zeabur-review-agent

Copy link
Copy Markdown

Note

Currently processing new changes in this PR, please wait...

📦 Commits (1)

Reviewed via multi-agent panel

📂 Files selected for processing (2)

Details available in the full review

@zeabur-review-agent

Copy link
Copy Markdown

Panel Review — zbplan PR #11

1. What problem does this PR solve?

Dependabot security bump: github.com/containerd/containerd/v2 2.3.1 → 2.3.2 (indirect, via testcontainers-go). Closes five CVEs (CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262).

2. How does it solve it?

Updates go.mod and go.sum only. The containerd bump triggers normal MVS cascading that also raises several golang.org/x/* modules: x/sync 0.20.0→0.21.0 (direct), plus x/crypto, x/net, x/sys, x/text, x/term (indirect). No application source code changes.

3. What are the tradeoffs?

  • Low runtime risk: containerd is indirect (test infrastructure only); production CLI does not import it.
  • Collateral bumps are expected go mod tidy fallout, not intentional changes.
  • Nix build desync: The repo's flake.nix hardcodes a vendorHash for buildGoModule. Dependabot never touches flake.nix, so after the module graph changes the hash is stale and nix build will fail deterministically.

4. Verdict

Consensus: request changes (blocker on vendorHash)
Reviewers: Aragorn: blocker, Legolas: approve, Gimli: (pending), Boromir: (pending), Frodo: approve, Sam: approve, Merry: request changes


🔴 BLOCKER

  • B1. flake.nix:42vendorHash = "sha256-mNI686Xb6728od8JiWf1I09VyYzTSVA0jviVbkelFuM=" is now stale. The PR changes the dependency set in go.mod/go.sum, so buildGoModule's vendored output hash necessarily changes. CI's dedicated build job (.github/workflows/tests.yml) runs nix build . and will fail with error: hash mismatch in fixed-output derivation. Fix: set vendorHash = lib.fakeHash, run nix build, paste the reported got: hash back. (raised by: Aragorn, Merry)

🟠 SUGGESTED CHANGES

  • None

⚖️ Unresolved disagreements

  • Legolas, Sam, and Frodo approved without flagging vendorHash — they noted containerd is indirect and low-risk. Aragorn and Merry identified the Nix build breakage as blocking. The disagreement is on severity (the build will fail deterministically on merge), resolved in favor of blocker since CI enforces the Nix build path.

🟡 NIT

  • None

🟢 INFO

  • I1. Only the build CI job breaks; lint, unit, and integration run via nix develop (devShell, no vendorHash) and are unaffected. (raised by: Aragorn)
  • I2. The dependency bump itself is security-positive and should merge once B1 is fixed. (raised by: Aragorn, Frodo, Sam, Legolas)

@zeabur-review-agent zeabur-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multi-agent review: changes requested (blocker found)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code request-changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants