chore(deps): bump testcontainers-go to drop vulnerable docker/docker SDK#114
Merged
richardwooding merged 2 commits intomainfrom Apr 27, 2026
Merged
chore(deps): bump testcontainers-go to drop vulnerable docker/docker SDK#114richardwooding merged 2 commits intomainfrom
richardwooding merged 2 commits intomainfrom
Conversation
Upgrades testcontainers-go (and the postgres/mysql/gcloud modules) from v0.40.0 to v0.42.0. The new releases use github.com/moby/moby/client instead of github.com/docker/docker, removing the SDK from our dependency graph entirely. Resolves the long-standing Security workflow failures in govulncheck: - GO-2026-4887: Moby AuthZ plugin bypass on oversized request bodies - GO-2026-4883: Moby HTTP request smuggling Both vulns had "Fixed in: N/A" in github.com/docker/docker — the upstream moby/moby project moved the client to a separate module which has the fix. v0.42.0 of testcontainers-go follows that move. Side effects of `go mod tidy`: - golang.org/x/net v0.50.0 → v0.53.0 (silences GO-2026-4559) - Various indirect deps refreshed to current minor/patch versions (gopsutil, klauspost/compress, otel, ebitengine/purego, etc.) govulncheck (Go 1.26.1 local): zero called vulns in our code or dependencies. Remaining matches are stdlib functions inside indirect deps that our code doesn't reach.
There was a problem hiding this comment.
Pull request overview
This PR updates Go dependencies (primarily testcontainers-go) to remove the legacy github.com/docker/docker module from the dependency graph, addressing govulncheck findings tied to vulnerabilities that are not fixed in that legacy module.
Changes:
- Bump
github.com/testcontainers/testcontainers-goand itsgcloud,mysql, andpostgresmodules fromv0.40.0tov0.42.0. - Refresh indirect dependencies via
go mod tidy, including updatinggolang.org/x/nettov0.53.0. - Remove
github.com/docker/docker@v28.5.2+incompatiblefromgo.mod/go.sumand replace with the newergithub.com/moby/moby/*client modules pulled in bytestcontainers-go.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates direct testcontainers-go module versions and refreshes indirect dependency versions, removing github.com/docker/docker from the dependency list. |
| go.sum | Updates module checksums to match the new dependency graph, including removal of github.com/docker/docker sums and addition of github.com/moby/moby/* sums. |
Resolves the remaining OSV Scanner failures: - Go 1.25.7 → 1.25.9 (in `go` directive). Fixes 6 stdlib vulns: GO-2026-4601, 4602, 4865 (html/template), 4869 (archive/tar), 4870 (crypto/tls), 4946 / 4947 (crypto/x509). All have `Fixed in: 1.25.9`. CI workflows already use `go-version: 1.25.x` with `check-latest: true`, so they'll pick up 1.25.9 automatically once go.mod allows it. - jackc/pgx/v5 5.8.0 → 5.9.2. Fixes GHSA-j88v-2chj-qfwx (called). Also clears the two uncalled pgx vulns reported by osv-scanner (GO-2026-4771, GO-2026-4772 in earlier 5.x).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Security workflow has been red on
mainfor weeks because govulncheck flags two unfixed vulnerabilities ingithub.com/docker/docker@v28.5.2+incompatible(GO-2026-4887 Moby AuthZ bypass, GO-2026-4883 HTTP request smuggling). Both haveFixed in: N/Abecause moby/moby moved the client out of the legacygithub.com/docker/dockermodule into a newgithub.com/moby/moby/clientmodule — the legacy module is in maintenance.testcontainers-gov0.42.0 (released after our v0.40.0 pin) follows that move. Bumping it removesdocker/dockerfrom our dependency graph entirely; govulncheck stops flagging those vulns.testcontainers-gov0.40.0 → v0.42.0 (and thepostgres,mysql,gcloudsubmodules)golang.org/x/netv0.50.0 → v0.53.0 (silences GO-2026-4559 along the way)go mod tidy(otel, gopsutil, klauspost/compress, etc.)Verification
go build ./...cleangolangci-lint runcleango test -short -race ./...— same Docker-dependent integration tests skip as before; all unit tests passgovulncheck ./...—docker/dockerno longer appears in the report; remaining matches are Go stdlib symbols inside indirect deps that our code does not call (toolchain-version sensitive — CI's pinned1.25.xalready passed unit tests on this branch)Test plan
Go Vulnerability CheckandOSV Security Scan🤖 Generated with Claude Code