Skip to content

build(deps): bump github.com/moby/sys/user to v0.4.1#13893

Open
thaJeztah wants to merge 1 commit into
docker:mainfrom
thaJeztah:bump_moby_user
Open

build(deps): bump github.com/moby/sys/user to v0.4.1#13893
thaJeztah wants to merge 1 commit into
docker:mainfrom
thaJeztah:bump_moby_user

Conversation

@thaJeztah

Copy link
Copy Markdown
Member
  • user: prevent possible DoS via unbounded parsing of user and group database files in GHSA-mjcv-p78q-w5fw. This fixes a similar issue as CVE-2026-47262 in containerd.
  • user: prevent falling back to looking up numeric usernames Improve handling of numeric user/group to prevent looking up numeric values as usernames. This fixes a similar issue as CVE-2026-46680 in containerd.
  • user: update minimum go version to go1.18
  • assorted testing and linting fixes.

full diff: moby/sys@user/v0.4.0...user/v0.4.1

What I did

Related issue

(not mandatory) A picture of a cute animal, if possible in relation to what you did

@thaJeztah thaJeztah requested a review from a team as a code owner July 2, 2026 13:44
@thaJeztah thaJeztah requested review from Copilot, glours and ndeloof July 2, 2026 13:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the github.com/moby/sys/user dependency used by Compose to incorporate upstream fixes (notably around safer user/group lookup and database parsing limits) by bumping the module from v0.4.0 to v0.4.1.

Changes:

  • Bump github.com/moby/sys/user to v0.4.1 in go.mod (indirect dependency).
  • Update go.sum checksums to match the new module version.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates the indirect requirement for github.com/moby/sys/user to v0.4.1.
go.sum Refreshes sums for github.com/moby/sys/user v0.4.1 and removes v0.4.0 entries.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 — a targeted security patch.

Changes reviewed:

  • go.mod: Single version line updated (v0.4.0v0.4.1), marked // indirect as expected.
  • go.sum: Hash entries updated to match the new version.

No issues found. The version bump is consistent between go.mod and go.sum, and the upstream release addresses two security vulnerabilities (DoS via unbounded parsing of user/group database files per GHSA-mjcv-p78q-w5fw, and numeric username fallback similar to CVE-2026-46680).

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 (indirect dependency). The change is correct and self-consistent — the version in go.mod is updated and go.sum hashes are updated accordingly.

The upstream release (v0.4.1) addresses two security issues:

  • GHSA-mjcv-p78q-w5fw: Prevents possible DoS via unbounded parsing of user/group database files
  • CVE-2026-46680: Prevents falling back to looking up numeric usernames

No logic, compatibility, or correctness issues are introduced by this dependency bump. No inline findings.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1, patching two security vulnerabilities:

The diff is limited to a single version string change in go.mod and the corresponding hash update in go.sum. No logic, API, or behavioral changes are introduced by this repository. No issues found.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 to address two security advisories:

The diff is a minimal, mechanical version-string update in go.mod (and corresponding go.sum hash). No application logic, error handling, or data flows are modified. No issues introduced by this change were found.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This is a clean, minimal security dependency bump — github.com/moby/sys/user v0.4.0 → v0.4.1 — that addresses two security advisories:

The patch-level semver bump is API-compatible, the indirect dependency declaration is correct, and no other files are affected. No bugs or regressions introduced by the changed lines.

@thaJeztah

Copy link
Copy Markdown
Member Author

ugh, the DCO check didn't trigger; let me try close/reopen

@thaJeztah thaJeztah closed this Jul 2, 2026
@thaJeztah thaJeztah reopened this Jul 2, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@thaJeztah

Copy link
Copy Markdown
Member Author

Looks like the DCO bot may be borked 😞 I can try force-push to see if that unsettles it
Screenshot 2026-07-02 at 16 58 46

- user: prevent possible DoS via unbounded parsing of user and group
  database files in GHSA-mjcv-p78q-w5fw. This fixes a similar issue
  as CVE-2026-47262 in containerd.
- user: prevent falling back to looking up numeric usernames
  Improve handling of numeric user/group to prevent looking up numeric
  values as usernames. This fixes a similar issue as [CVE-2026-46680] in
  containerd.
- user: update minimum go version to go1.18
- assorted testing and linting fixes.

[CVE-2026-46680]: GHSA-fqw6-gf59-qr4w

full diff: moby/sys@user/v0.4.0...user/v0.4.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants