chore(renovate): hold docker/cli & docker/docker at v28 major (v29 needs moby/moby migration; CVE-2025-15558 unreachable)#1682
Open
88plug wants to merge 1 commit into
Open
Conversation
The v29 line of github.com/docker/cli (and docker/docker) moves the Go API onto github.com/moby/moby — a redesigned options/result client — which requires migrating pkg/runtimes/docker. Renovate's automated v29 bump therefore cannot build (see k3d-io#1652, red CI). The v29 bump is labelled [security] for CVE-2025-15558, but that advisory is Windows + cli-plugins/manager only and is not reachable from k3d: k3d does not import github.com/docker/cli/cli-plugins/manager, and govulncheck confirms the advisory is not among k3d's reachable vulnerabilities. So the major bump is not security-required for k3d. Hold both modules at the v28 major (disable only the major update) until the github.com/moby/moby/v2 migration is done, so Renovate stops opening unbuildable v29 PRs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add a Renovate rule holding
github.com/docker/cliandgithub.qkg1.top/docker/dockerat the v28 major (disables only the major update), until thegithub.qkg1.top/moby/moby/v2migration is done.Why
docker/cliv29 moves the Go API ontogithub.qkg1.top/moby/moby— a redesigned options/result client (ContainerCreate(ctx, ContainerCreateOptions) (ContainerCreateResult, error),Container→Summary,ContainerJSON→InspectResponse, thefilterspackage relocated, error helpers moved, etc.). Adopting it requires migratingpkg/runtimes/docker. The automated bump in #1652 therefore cannot compile — its CI is red — and it has sat open.This rule stops Renovate from re-opening unbuildable v29 PRs while keeping patch/minor updates flowing, and documents the reason inline.
Is the v29 [security] bump actually required for k3d? No.
#1652 is labelled
[security]for CVE-2025-15558 (GHSA-p436-gjf2-799p). That advisory is Windows +cli-plugins/manageronly — quoting it: "This issue does not impact non-Windows binaries or projects that do not use the plugin manager code."k3d does not import
github.com/docker/cli/cli-plugins/manager(it usescli/command,cli/config,cli/connhelper,cli/context,opts,streams).govulncheckreachability analysis confirms the advisory is not among k3d's reachable vulnerabilities:So the major bump is not security-required for k3d.
Note on the reachable findings (out of scope here)
govulncheckdoes flag two reachable advisories ingithub.qkg1.top/docker/docker(GO-2026-4887, GO-2026-4883). That module is EOL ("all versions, no known fixed"); the fixes live only ingithub.qkg1.top/moby/moby/v2(≥ v2.0.0-beta.8 /docker-v29.3.1). Addressing those is the samemoby/moby/v2migration referenced above and is better tracked as its own effort, not a Renovate auto-bump.Relates to #1652.