Skip to content

Update containerd, docker, moby, and opencontainers dependencies#3812

Merged
dims merged 1 commit intogoogle:masterfrom
dims:update-container-dependencies
Jan 14, 2026
Merged

Update containerd, docker, moby, and opencontainers dependencies#3812
dims merged 1 commit intogoogle:masterfrom
dims:update-container-dependencies

Conversation

@dims
Copy link
Collaborator

@dims dims commented Jan 14, 2026

Updated dependencies:

  • containerd/containerd/api: v1.9.0 -> v1.10.0 (2025-11-05)
  • docker/docker: v28.3.3 -> v28.5.2 (2025-11-05)
  • moby/term: pseudo-version -> v0.5.2 (2025-01-02)
  • opencontainers/runc: v1.3.3 -> v1.4.0 (2025-11-27)
  • opencontainers/runtime-spec: v1.2.1 -> v1.3.0 (2025-11-04)

Security fixes (docker v28.5.2, runc v1.4.0):

Notable changes:

runc v1.4.0:

  • Deprecates cgroup v1
  • Breaking: pids.limit=0 now treated as actual limit (per OCI spec)
  • New iocost statistics for cgroupv2
  • Supports OCI runtime-spec v1.3

containerd API v1.10.0:

  • New mount manager service for filesystem lifecycle management
  • Parallel unpack capability for image distribution
  • Aligns with containerd 2.2 release

runtime-spec v1.3.0:

  • Adds FreeBSD specification support
  • Intel RDT, memory policies, network devices additions

@dims
Update containerd, docker, moby, and opencontainers dependencies
dc0434c 
Updated dependencies:
- containerd/containerd/api: v1.9.0 -> v1.10.0 (2025-11-05)
- docker/docker: v28.3.3 -> v28.5.2 (2025-11-05)
- moby/term: pseudo-version -> v0.5.2 (2025-01-02)
- opencontainers/runc: v1.3.3 -> v1.4.0 (2025-11-27)
- opencontainers/runtime-spec: v1.2.1 -> v1.3.0 (2025-11-04)

Security fixes (docker v28.5.2, runc v1.4.0):
- CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: container breakout
  vulnerabilities via symlink exploitation in masked paths and LSM
  label handling. All three allow full container escape.

Notable changes:

runc v1.4.0:
- Deprecates cgroup v1
- Breaking: pids.limit=0 now treated as actual limit (per OCI spec)
- New iocost statistics for cgroupv2
- Supports OCI runtime-spec v1.3

containerd API v1.10.0:
- New mount manager service for filesystem lifecycle management
- Parallel unpack capability for image distribution
- Aligns with containerd 2.2 release

runtime-spec v1.3.0:
- Adds FreeBSD specification support
- Intel RDT, memory policies, network devices additions

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
@dims dims requested a review from iwankgb January 14, 2026 15:06
@dims dims merged commit cb7b871 into google:master Jan 14, 2026
9 checks passed
@thaJeztah thaJeztah mentioned this pull request Jan 15, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iwankgb iwankgb Awaiting requested review from iwankgb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dims