build(deps): bump github.com/moby/sys/user to v0.4.1#13893
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the github.com/moby/sys/user dependency used by Compose to incorporate upstream fixes (notably around safer user/group lookup and database parsing limits) by bumping the module from v0.4.0 to v0.4.1.
Changes:
- Bump
github.com/moby/sys/usertov0.4.1ingo.mod(indirect dependency). - Update
go.sumchecksums to match the new module version.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates the indirect requirement for github.com/moby/sys/user to v0.4.1. |
| go.sum | Refreshes sums for github.com/moby/sys/user v0.4.1 and removes v0.4.0 entries. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 — a targeted security patch.
Changes reviewed:
go.mod: Single version line updated (v0.4.0→v0.4.1), marked// indirectas expected.go.sum: Hash entries updated to match the new version.
No issues found. The version bump is consistent between go.mod and go.sum, and the upstream release addresses two security vulnerabilities (DoS via unbounded parsing of user/group database files per GHSA-mjcv-p78q-w5fw, and numeric username fallback similar to CVE-2026-46680).
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 (indirect dependency). The change is correct and self-consistent — the version in go.mod is updated and go.sum hashes are updated accordingly.
The upstream release (v0.4.1) addresses two security issues:
- GHSA-mjcv-p78q-w5fw: Prevents possible DoS via unbounded parsing of user/group database files
- CVE-2026-46680: Prevents falling back to looking up numeric usernames
No logic, compatibility, or correctness issues are introduced by this dependency bump. No inline findings.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1, patching two security vulnerabilities:
- GHSA-mjcv-p78q-w5fw: DoS via unbounded parsing of user/group database files
- CVE-2026-46680 / GHSA-fqw6-gf59-qr4w: prevent falling back to looking up numeric usernames as string identifiers
The diff is limited to a single version string change in go.mod and the corresponding hash update in go.sum. No logic, API, or behavioral changes are introduced by this repository. No issues found.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR bumps github.com/moby/sys/user from v0.4.0 to v0.4.1 to address two security advisories:
- GHSA-mjcv-p78q-w5fw: DoS via unbounded parsing of user/group database files
- CVE-2026-46680 / GHSA-fqw6-gf59-qr4w: Numeric username lookup fallback vulnerability
The diff is a minimal, mechanical version-string update in go.mod (and corresponding go.sum hash). No application logic, error handling, or data flows are modified. No issues introduced by this change were found.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This is a clean, minimal security dependency bump — github.com/moby/sys/user v0.4.0 → v0.4.1 — that addresses two security advisories:
- GHSA-mjcv-p78q-w5fw: DoS via unbounded parsing of
/etc/passwd//etc/group - CVE-2026-46680 (GHSA-fqw6-gf59-qr4w): Numeric username fallback prevention (similar issue as in containerd)
The patch-level semver bump is API-compatible, the indirect dependency declaration is correct, and no other files are affected. No bugs or regressions introduced by the changed lines.
|
ugh, the DCO check didn't trigger; let me try close/reopen |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
- user: prevent possible DoS via unbounded parsing of user and group database files in GHSA-mjcv-p78q-w5fw. This fixes a similar issue as CVE-2026-47262 in containerd. - user: prevent falling back to looking up numeric usernames Improve handling of numeric user/group to prevent looking up numeric values as usernames. This fixes a similar issue as [CVE-2026-46680] in containerd. - user: update minimum go version to go1.18 - assorted testing and linting fixes. [CVE-2026-46680]: GHSA-fqw6-gf59-qr4w full diff: moby/sys@user/v0.4.0...user/v0.4.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: moby/sys@user/v0.4.0...user/v0.4.1
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did