chore(deps): update module github.com/docker/cli to v29 [security] by NumaryBot · Pull Request #135 · formancehq/auth

NumaryBot · 2026-03-24T02:58:33Z

This PR contains the following updates:

Package	Type	Update	Change
github.com/docker/cli	indirect	major	`v27.3.1+incompatible` -> `v29.2.0+incompatible`

Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

BIT-docker-cli-2025-15558 / CVE-2025-15558 / GHSA-p436-gjf2-799p / GO-2026-4610

More information

Details

Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

docker/cli (github.com/docker/cli)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

NumaryBot · 2026-03-24T02:58:36Z

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

2 additional dependencies were updated

Details:

Package	Change
`github.com/Azure/go-ansiterm`	`v0.0.0-20230124172434-306776ec8161` -> `v0.0.0-20250102033503-faa5f7b0171c`
`github.com/moby/term`	`v0.5.0` -> `v0.5.2`

coderabbitai · 2026-03-24T02:59:40Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2c3b921c-00d1-4ce0-a4d6-b13aea9997bc

📥 Commits

Reviewing files that changed from the base of the PR and between 5bba068 and a982204.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

go.mod

📝 Walkthrough

Walkthrough

This pull request updates indirect Go module requirements in go.mod, adjusting versions and adding/removing transitive dependencies (Docker, Moby, containerd, distribution, YAML-related modules). No exported APIs or source files were modified.

Changes

Cohort / File(s)	Summary
Go Module Dependencies `go.mod`	Updated indirect dependency versions (e.g., `github.com/Azure/go-ansiterm`, `github.com/docker/cli`, `github.com/docker/docker`, `github.com/moby/term`); added indirect modules `github.com/containerd/errdefs` (and `/pkg`), `github.com/distribution/reference`, `github.com/moby/moby/api`, `github.com/moby/moby/client`, `go.yaml.in/yaml/v3`; removed `github.com/gogo/protobuf` and `gopkg.in/yaml.v2`. No code or public APIs changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibbled lines of go.mod bright,
Swapped some modules in the night,
Added friends, let others hop away,
All tidy now — I twitch and play,
Dependencies snug, the tree's just right! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating github.com/docker/cli to v29, with security context. It is specific, concise, and clearly identifies the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/major-security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 173: The go.mod now contains a transitive, non-canonical YAML import
(go.yaml.in/yaml/v3 v3.0.4) introduced via
github.com/docker/cli/cli/compose/loader (pulled by
github.com/ory/dockertest/v3) which causes a mismatch with the direct
gopkg.in/yaml.v3 v3.0.1; resolve this by either updating or pinning the
docker/cli dependency (or dockertest) to a version that uses the canonical
gopkg.in/yaml.v3 import, or add a replace directive in go.mod to unify
go.yaml.in/yaml/v3 to gopkg.in/yaml.v3 at the desired version so both import
paths resolve to the same yaml v3.x module.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74360a1c-1739-4200-a1f5-3f25df1846da

📥 Commits

Reviewing files that changed from the base of the PR and between 2794752 and 5bba068.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

go.mod

go.mod

NumaryBot added the security label Mar 24, 2026

NumaryBot enabled auto-merge (squash) March 24, 2026 02:58

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

go.mod Show resolved Hide resolved

chore(deps): update module github.com/docker/cli to v29 [security]

a982204

NumaryBot force-pushed the renovate/major-security branch from 5bba068 to a982204 Compare March 26, 2026 03:01

flemzord approved these changes Mar 27, 2026

View reviewed changes

NumaryBot merged commit 713060b into main Mar 27, 2026
6 checks passed

NumaryBot deleted the renovate/major-security branch March 27, 2026 14:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update module github.com/docker/cli to v29 [security]#135

chore(deps): update module github.com/docker/cli to v29 [security]#135
NumaryBot merged 1 commit intomainfrom
renovate/major-security

NumaryBot commented Mar 24, 2026 •

edited

Loading

Uh oh!

NumaryBot commented Mar 24, 2026

Uh oh!

coderabbitai bot commented Mar 24, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

NumaryBot commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

Details

Severity

References

Release Notes

Configuration

Uh oh!

NumaryBot commented Mar 24, 2026

ℹ Artifact update notice

File name: go.mod

Uh oh!

coderabbitai bot commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

NumaryBot commented Mar 24, 2026 •

edited

Loading

coderabbitai bot commented Mar 24, 2026 •

edited

Loading