[pull] main from open-component-model:main#393
Merged
Conversation
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | devDependencies | patch | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.3/8.59.4) | [](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/331) for more information. --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### 🩹 Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#​12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### ❤️ Thank You - Kirk Waiblinger [@​kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE5MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>
## Summary - The `run_integration_tests` matrix had a static `include` entry for `bindings/go/sigstore/integration`, which GitHub Actions injects unconditionally — even when the module is absent from the dynamic `integration_test_modules_json` list. This caused sigstore integration tests to run on every single PR. - Replace the matrix `runner` axis + `exclude`/`include` with a single `module` axis. Runner selection uses a top-level `INTEGRATION_TEST_RUNNER_MAP` env var (JSON object) looked up via `fromJSON` at job dispatch time, falling back to `ubuntu-24.04-arm`. - The map is static, defined at the top of the file with a comment pointing to the job, and documented with instructions for adding further overrides. ## Test plan - [ ] Open a PR touching only `bindings/go/sigstore/` (non-integration code) — sigstore integration tests should NOT appear in the matrix - [ ] Open a PR touching `bindings/go/sigstore/integration/` — sigstore integration tests SHOULD run on `ubuntu-latest` - [ ] Open a PR touching `.github/workflows/ci.yml` — all tests run (CI changed path) - [ ] Verify other integration test modules still run on `ubuntu-24.04-arm` --------- Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
) ## Summary Gate 6 of the phased [ADR 0018 / issue #1047](open-component-model/ocm-project#1047) credentials migration. Builds on gates 1–5 (PRs #2580, #2586, #2594, #2598, #2602). > **Note:** this branch also contains #2613 (plugin `CredentialsFromHeader` refactor). Once that merges, this PR will show only the helm changes. ### helm binding changes - `cmd/main.go`, `input/method.go`: `ProcessResource`/`ProcessSource` → `runtime.Typed` - `digest/digest.go`: `ProcessResourceDigest` → `runtime.Typed`; single `ConvertCredentials` call replaces two separate conversions - `repository/resource/resource_repository.go`: `DownloadResource`/`UploadResource` → `runtime.Typed`; `var _ repository.ResourceRepository` assertion restored - `transformation/get_helm_chart.go`: use upstream typed `ResourceRepository` interface; delete `transformation/credentials.go` - `spec/credentials/v1/convert.go`: new `ConvertCredentials(runtime.Typed) (*HelmHTTPCredentials, *OCICredentials, error)` — single scheme-based conversion returning both types - `spec/credentials/scheme.go`: package-level `Scheme` for helm credentials - `spec/credentials/v1/helm_credentials.go`: remove deprecated exported constants and `FromDirectCredentials` (now private) - `go.mod`: `plugin` → v0.0.16, `blob` → v0.0.13, `repository` → v0.0.9; no replace directives ## Test plan - [ ] `cd bindings/go/helm && go build ./... && go test ./...` (cmd/* requires `task build` for plugin binary) - [ ] `grep -rn "map\[string\]string" bindings/go/helm/` returns no credential parameter usages Refs: #1047 Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
…3.1 [security] (#2606) This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github.com/containerd/containerd/v2](https://redirect.github.com/containerd/containerd) | indirect | patch | `v2.3.0` → `v2.3.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/containerd/containerd) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/331) for more information. --- ### containerd user ID handling bypass allows runAsNonRoot evasion [CVE-2026-46680](https://nvd.nist.gov/vuln/detail/CVE-2026-46680) / [GHSA-fqw6-gf59-qr4w](https://redirect.github.com/advisories/GHSA-fqw6-gf59-qr4w) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes `runAsNonRoot` restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. ##### Patches This bug has been fixed in the following containerd versions: * 2.3.1 * 2.2.4 * 2.0.9 * 1.7.32 Note: The containerd 2.1 release has reached its [end of life](https://containerd.io/releases/#current-state-of-containerd-releases) and a fixed version is not provided. Users should update to these versions to resolve the issue. ##### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric `runAsUser` in the Kubernetes Pod `securityContext` overrides the `USER` directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce `runAsNonRoot` properly regardless of this bug. ##### Credits The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### Resources * GHSA-265r-hfxg-fhmg (CVE-2024-40635) ##### For more information If there are any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Send an email to [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Send an email to [security@containerd.io](mailto:security@containerd.io) #### Severity - CVSS Score: 7.3 / 10 (High) - Vector String: `CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w) - [https://github.com/advisories/GHSA-fqw6-gf59-qr4w](https://redirect.github.com/advisories/GHSA-fqw6-gf59-qr4w) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-fqw6-gf59-qr4w) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd/v2)</summary> ### [`v2.3.1`](https://redirect.github.com/containerd/containerd/releases/tag/v2.3.1): containerd 2.3.1 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v2.3.0...v2.3.1) Welcome to the v2.3.1 release of containerd! The first patch release for containerd 2.3 contains various fixes and improvements. ##### Security Updates - [**CVE-2026-46680**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w) ##### Highlights - Fix bug where failed gRPC plugins were not tolerated when starting listeners ([#​13390](https://redirect.github.com/containerd/containerd/pull/13390)) ##### Image Storage - Ensure metadata and mount plugin boltdb files are closed on server shutdown ([#​13379](https://redirect.github.com/containerd/containerd/pull/13379)) ##### Runtime - Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups ([#​13447](https://redirect.github.com/containerd/containerd/pull/13447)) - Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options ([#​13422](https://redirect.github.com/containerd/containerd/pull/13422)) - Apply hardening to default seccomp socket policy by blocking AF\_ALG ([#​13409](https://redirect.github.com/containerd/containerd/pull/13409)) ##### Snapshotters - Disable overlayfs "rebase" capability when running in user namespace ([#​13394](https://redirect.github.com/containerd/containerd/pull/13394)) - Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable ([#​13364](https://redirect.github.com/containerd/containerd/pull/13364)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Maksym Pavlenko - Akihiro Suda - Derek McGowan - Paweł Gronowski - Brian Goff - Austin Vazquez - LEI WANG - Samuel Karp ##### Changes <details><summary>24 commits</summary> <p> - Prepare release notes for v2.3.1 ([#​13405](https://redirect.github.com/containerd/containerd/pull/13405)) - [`58af96519`](https://redirect.github.com/containerd/containerd/commit/58af9651939577f81969b387b6b2e2aed45ead7d) Prepare release notes for v2.3.1 - [`8f0b3ca83`](https://redirect.github.com/containerd/containerd/commit/8f0b3ca83015873d643db246202b63b8384f14fd) Update api to v1.11.1 - oci: return explicit error for out-of-range USER values ([#​13447](https://redirect.github.com/containerd/containerd/pull/13447)) - [`a05ae7885`](https://redirect.github.com/containerd/containerd/commit/a05ae78850384eb24effbc597ebc5b19a5e4ba04) oci: return explicit error for out-of-range USER values - Prepare release notes for api/v1.11.1 ([#​13444](https://redirect.github.com/containerd/containerd/pull/13444)) - [`da7aef299`](https://redirect.github.com/containerd/containerd/commit/da7aef299c57cc1f290700ade8fa0a5fec69a462) Prepare release notes for api/v1.11.1 - Fix sandbox task API endpoints for non-runc runtimes ([#​13422](https://redirect.github.com/containerd/containerd/pull/13422)) - [`5282d4e09`](https://redirect.github.com/containerd/containerd/commit/5282d4e09d3bc8b0957780caa7a4644fac7c86a7) Wire task address and version fields - [`e44f5f9ec`](https://redirect.github.com/containerd/containerd/commit/e44f5f9ec610d95a712d230e8a19ae516e0a26ac) protos: include task API address to CreateTaskRequest - seccomp: Block AF\_ALG in default socket policy ([#​13409](https://redirect.github.com/containerd/containerd/pull/13409)) - [`4d80a31bf`](https://redirect.github.com/containerd/containerd/commit/4d80a31bf637bc15e83e50a15941bf5bb0cb3988) seccomp: Block AF\_ALG in default socket policy - [`2ed0d97b6`](https://redirect.github.com/containerd/containerd/commit/2ed0d97b6e58def34684a1bffc2ab6931182f221) seccomp: Document socket rule scope and socketcall limitation - server: tolerate failed gRPC plugins when starting listeners ([#​13390](https://redirect.github.com/containerd/containerd/pull/13390)) - [`3a88fdde0`](https://redirect.github.com/containerd/containerd/commit/3a88fdde0c613e62415e61738e946b903f1bf32f) server: tolerate failed gRPC plugins when starting listeners - overlay: disable "rebase" capability when running in UserNS ([#​13394](https://redirect.github.com/containerd/containerd/pull/13394)) - [`2be0710b8`](https://redirect.github.com/containerd/containerd/commit/2be0710b81b99f47aa4ef0fa2951cd69f80b7e19) overlay: disable "rebase" capability when running in UserNS - Update Go to 1.26.3 ([#​13374](https://redirect.github.com/containerd/containerd/pull/13374)) - [`3b199c22b`](https://redirect.github.com/containerd/containerd/commit/3b199c22b13495bd442b32121c2015f301594387) Update Go to 1.26.3 - fix: close boltdb on metadata and mount plugin close ([#​13379](https://redirect.github.com/containerd/containerd/pull/13379)) - [`1d601271a`](https://redirect.github.com/containerd/containerd/commit/1d601271a73a649de465ed94fa973564211b7f46) fix: close boltdb on metadata and mount plugin close - Fix optional EROFS differ setup in transfer plugin ([#​13364](https://redirect.github.com/containerd/containerd/pull/13364)) - [`d666d2e42`](https://redirect.github.com/containerd/containerd/commit/d666d2e4261da664a50c7b1663461747ba8ebb2e) Refactor transfer unpack configuration setup - [`ccc3bd7b9`](https://redirect.github.com/containerd/containerd/commit/ccc3bd7b90be7afce7a903391d2a34b83424c5e0) Fix optional transfer differ setup </p> </details> ##### Dependency Changes - **github.com/containerd/containerd/api** v1.11.0 -> v1.11.1 Previous release can be found at [v2.3.0](https://redirect.github.com/containerd/containerd/releases/tag/v2.3.0) ##### Which file should I download? - `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). - `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. In addition to containerd, typically you will have to install [runc](https://redirect.github.com/opencontainers/runc/releases) and [CNI plugins](https://redirect.github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://redirect.github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE5MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | |---|---|---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | minor | [`25.8.0` → `25.9.0`](https://renovatebot.com/diffs/npm/@types%2fnode/25.8.0/25.9.0) | `25.9.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/DefinitelyTyped/DefinitelyTyped) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/331) for more information. --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5Mi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )