Bump testcontainers-go to v0.42.0 to drop docker/docker#5449
Merged
Conversation
A vulnerability scan flagged github.com/docker/docker
v28.5.2+incompatible in the operator and proxy-runner images. That
module is deprecated as of Docker v29 (moby split it into
github.com/moby/moby/{client,api}), and the docker-v29.x tags cannot be
consumed via `go get`, so there is no newer module version to update
to. ToolHive's production code already imports moby/moby/{client,api};
docker/docker lingered only as a test-only indirect dependency of
testcontainers-go.
testcontainers-go v0.42.0 migrated off docker/docker onto
moby/moby/{client,api}. Bumping from v0.40.0 and running `go mod tidy`
removes docker/docker (and the now-orphaned morikuni/aec) from the
module graph entirely, clearing the finding at its source. No source
changes are required; the authserver/storage integration tests pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5449 +/- ##
==========================================
- Coverage 68.85% 68.85% -0.01%
==========================================
Files 634 634
Lines 64437 64437
==========================================
- Hits 44371 44368 -3
- Misses 16789 16790 +1
- Partials 3277 3279 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-actions
Bot
added
size/XS
ChrisJBurns
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A vulnerability scan flagged
github.com/docker/docker v28.5.2+incompatible. That module is deprecated as of Docker v29 (no newer Go-module version exists), and ToolHive already ships the newmoby/moby/{client,api}modules —docker/dockeronly lingered as a test-only indirect dep oftestcontainers-go.Bumping
testcontainers-gov0.40.0 → v0.42.0 (which itself migrated tomoby/moby/{client,api}) removesdocker/dockerfrom the graph entirely. No source changes.Type of change
Test plan
task test)pkg/authserver/storageintegration tests (-tags integration -race, the onlytestcontainers-goconsumer) against real Redis — all pass. Confirmeddocker/dockeris gone fromgo.mod/go.sum.Does this introduce a user-facing change?
No.
Generated with Claude Code