build(deps): update all dependencies updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
docker/setup-qemu-action	action	minor	v3.6.0 -> v3.7.0
github.com/opencontainers/runc	replace	patch	v1.3.2 -> v1.3.3
github.com/testcontainers/testcontainers-go/modules/k3s	require	minor	v0.39.0 -> v0.40.0
go (source)	toolchain	patch	1.25.3 -> 1.25.4
kubewarden/github-actions	action	patch	v4.5.13 -> v4.5.15
sigs.k8s.io/controller-runtime	require	patch	v0.22.3 -> v0.22.4

---

Release Notes

docker/setup-qemu-action (docker/setup-qemu-action)

v3.7.0

Compare Source

• Bump @​docker/actions-toolkit from 0.56.0 to 0.67.0 in #​217 #​230
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​220
• Bump form-data from 2.5.1 to 2.5.5 in #​218
• Bump tmp from 0.2.3 to 0.2.4 in #​221
• Bump undici from 5.28.4 to 5.29.0 in #​219

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

opencontainers/runc (github.com/opencontainers/runc)

v1.3.3: runc v1.3.3 -- "奴らに支配されていた恐怖を"

Compare Source

[!NOTE]
Some vendors were given a pre-release version of this release.
This public release includes two extra patches to fix regressions
discovered very late during the embargo period and were thus not
included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in
  runc. When masking files, runc will bind-mount the container's /dev/null
  inode on top of the file. However, if an attacker can replace /dev/null
  with a symlink to some other procfs file, runc will instead bind-mount the
  symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to
  CVE-2025-31133, except that it exploits a flaw in /dev/console
  bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n),
  if an attacker replaces /dev/pts/$n with a symlink then runc will
  bind-mount the symlink target over /dev/console. This issue affected all
  versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
  which was a flaw that allowed an attacker to trick runc into writing the LSM
  process labels for a container process into a dummy tmpfs file and thus not
  apply the correct LSM labels to the container process. The mitigation we
  applied for CVE-2019-19921 was fairly limited and effectively only caused
  runc to verify that when we write LSM labels that those labels are actual
  procfs files. This issue affects all known runc versions.

Added

• runc update now supports configuring per-device weights and iops. (#​4775,
  #​4807, #​4825, #​4931)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

---

Thanks to the following contributors for making this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]
• Lei Wang <ssst0n3@​gmail.com>
• Li Fubang [email protected]
• Rodrigo Campos [email protected]
• Tõnis Tiigi [email protected]

Signed-off-by: Aleksa Sarai [email protected]

testcontainers/testcontainers-go (github.com/testcontainers/testcontainers-go/modules/k3s)

v0.40.0

Compare Source

What's Changed

⚠️ Breaking Changes

• chore(redpanda)!: use Run function (#​3430) @​mdelapenya
• chore(rabbitmq)!: use Run function (#​3428) @​mdelapenya
• chore(opensearch)!: use Run function (#​3423) @​mdelapenya
• chore(elasticsearch)!: use Run function (#​3407) @​mdelapenya
• chore(etcd)!: use Run function (#​3409) @​mdelapenya

The below modules receive a breaking change in the signature of their functional options, as now all of them return an error when needed (returning nil for success). Therefore, you're only affected when assigning the options to variables.

• Old: type Option func(*options)
• New: type Option func(*options) error

🚀 Features

• feat(azure): add cosmosdb module (#​3452) @​natsoman
• feat(azure): reduce time/memory by running specific sub-services (#​3451) @​NathanBaulch

🐛 Bug Fixes

• fix(udp): expose UDP ports properly (#​3485) @​blueprismo
• fix(compose): update to docker compose v2.40.2 and use api.Compose interface (#​3456) @​mdelapenya
• fix(surrealdb): use true as value for WithAllowAllCaps option (#​3436) @​mdelapenya
• fix: use path.Join instead of url.JoinPath when prepending a custom registry to an image (#​3308) @​fedorkanin

📖 Documentation

• docs: add AI coding agent guidelines (#​3446) @​mdelapenya
• docs(mssql): describe MSSQL issue with negative certificates (#​3417) @​mdelapenya

🧹 Housekeeping

• feat(wait): add human-readable String() methods to all wait strategies (#​3461) @​mdelapenya
• chore: enable prealloc linter and address issues (#​3458) @​NathanBaulch
• chore(dockermcpgateway): skip testable example as it's not deterministic (#​3457) @​mdelapenya
• fix(azurite): fix lint (#​3453) @​mdelapenya
• chore: fix "Redpanda" copy-paste comment everywhere (#​3450) @​NathanBaulch
• chore: remove redundant wait.ForAll everywhere (#​3449) @​NathanBaulch
• chore(couchbase|etcd|firestore|mcpgateway|eventhubs|servicebus): apply consistent pattern for options (#​3447) @​mdelapenya
• chore(modulegen): use Run function when generating modules (#​3445) @​mdelapenya
• chore(vault): use Run function (#​3443) @​mdelapenya
• chore(valkey): use Run function (#​3440) @​mdelapenya
• chore(yugabytedb): use Run function (#​3444) @​mdelapenya
• chore(weaviate): use Run function (#​3442) @​mdelapenya
• chore(vearch): use Run function (#​3441) @​mdelapenya
• chore(toxiproxy): use Run function (#​3435) @​mdelapenya
• chore(clickhouse|k6|localstack|redpanda|registry|socat): use Run in tests (#​3432) @​mdelapenya
• chore(surrealdb): use Run function (#​3434) @​mdelapenya
• chore(scylladb): use Run function (#​3433) @​mdelapenya
• chore(registry): use Run function (#​3431) @​mdelapenya
• chore(redis): use Run function (#​3429) @​mdelapenya
• chore(qdrant): use Run function (#​3427) @​mdelapenya
• chore(pulsar): use Run function (#​3426) @​mdelapenya
• chore(postgres): use Run function (#​3425) @​mdelapenya
• chore(pinecone): use Run function (#​3424) @​mdelapenya
• chore(openldap): use Run function (#​3422) @​mdelapenya
• chore(openfga): use Run function (#​3421) @​mdelapenya
• chore(ollama): use Run function (#​3420) @​mdelapenya
• chore(neo4j): use Run function (#​3419) @​mdelapenya
• chore(nats): use Run function (#​3418) @​mdelapenya
• chore(mysql): use Run function (#​3416) @​mdelapenya
• chore(meilisearch|memcached|milvus|minio|mockserver|mssql): use Run function (#​3415) @​mdelapenya
• chore(k6|localstack|kafka|mariadb): use Run function (#​3414) @​mdelapenya
• chore(inbucket|influxdb|mongodb|k3s): use Run function (#​3413) @​mdelapenya
• chore(grafana): use Run function (#​3412) @​mdelapenya
• chore(gcloud): use Run function (#​3411) @​mdelapenya
• chore(milvus): update Milvus SDK to new module (#​3408) @​Juneezee
• chore(dynamodb): use Run function (#​3406) @​mdelapenya
• chore(dolt): use Run function (#​3405) @​mdelapenya
• chore(dind): use Run function (#​3403) @​mdelapenya
• chore(docker): fix error messages (#​3404) @​mdelapenya
• chore(couchbase): use Run function (#​3401) @​mdelapenya
• chore(databend): use Run function (#​3402) @​mdelapenya
• fix(openldap): use bitnamilegacy images (#​3400) @​mdelapenya
• chore(consul): use Run function (#​3327) @​mdelapenya
• chore(cockroachDB): use Run function (#​3326) @​mdelapenya
• chore(clickhouse): use Run function (#​3325) @​mdelapenya
• chore(chroma): use Run function (#​3324) @​mdelapenya
• chore(cassandra): use Run function (#​3321) @​mdelapenya
• chore(azurite): use Run function (#​3318) @​mdelapenya
• chore(artemis): use Run function (#​3320) @​mdelapenya
• chore(arangodb): use Run function (#​3319) @​mdelapenya
• chore: update relative-path-mode to "gitroot" in golangci configuration (#​3317) @​mmorel-35
• chore: enable govet linter (#​3315) @​mmorel-35
• chore(socat): use Run function (#​3312) @​mdelapenya
• chore(aerospike): use Run function (#​3311) @​mdelapenya
• chore: use Run in more tests (part 4) (#​3309) @​mdelapenya
• chore: use Run function (part 3) (#​3307) @​mdelapenya
• chore: use Run function (part 2) (#​3305) @​mdelapenya
• chore: use the Run funcion in tests and docs (part 1) (#​3304) @​mdelapenya

📦 Dependency updates

• chore(deps): bump amannn/action-semantic-pull-request from 5.5.3 to 6.1.1 (#​3328) @​dependabot[bot]
• chore(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0 and golang.org/x/crypto from 0.42.0 to 0.43.0 (#​3465) @​dependabot[bot]
• chore(deps): bump github.com/docker/docker from 28.3.3+incompatible to 28.5.1+incompatible (#​3464) @​dependabot[bot]
• chore(deps): bump mkdocs-include-markdown-plugin from 7.1.6 to 7.2.0 (#​3463) @​dependabot[bot]
• chore(deps): bump actions/setup-go from 5.4.0 to 6.0.0 (#​3462) @​dependabot[bot]
• fix(compose): update to docker compose v2.40.2 and use api.Compose interface (#​3456) @​mdelapenya
• chore(deps): bump mkdocs-include-markdown-plugin from 7.1.6 to 7.1.8 (#​3455) @​dependabot[bot]
• chore(deps): bump slackapi/slack-github-action from 2.0.0 to 2.1.1 (#​3329) @​dependabot[bot]
• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0 (#​3333) @​dependabot[bot]
• chore(deps): bump golang.org/x/crypto from 0.37.0 to 0.42.0 (#​3332) @​dependabot[bot]
• chore(deps): bump mkdocs-include-markdown-plugin from 7.1.6 to 7.2.0 (#​3330) @​dependabot[bot]
• chore(deps): bump github.com/stretchr/testify from 1.10 to 1.11.1 (#​3399) @​mdelapenya
• chore(deps): bump mkdocs-include-markdown-plugin from 7.1.6 to 7.1.8 (#​3322) @​dependabot[bot]

golang/go (go)

v1.25.4

kubewarden/github-actions (kubewarden/github-actions)

v4.5.15

Compare Source

🧰 Maintenance

• chore(deps): Consume kwctl 1.30 in kwctl-installer (#​251)

v4.5.14

Compare Source

🐛 Bug Fixes

• fix: Use --bundle when signing with cosign v3 (#​250)

kubernetes-sigs/controller-runtime (sigs.k8s.io/controller-runtime)

v0.22.4

Compare Source

What's Changed

• ✨ cache: Allow fine-granular SyncPeriod configuration by @​k8s-infra-cherrypick-robot in #​3378
• 🐛 Update List in namespaced client to list objects that are cluster scoped by @​k8s-infra-cherrypick-robot in #​3352 #​3357
• 🐛 priority queue: properly sync the waiter manipulation by @​alvaroaleman in #​3371
• 🐛 envtest: respect pre-configured binary paths in ControlPlane by @​k8s-infra-cherrypick-robot in #​3377

Full Changelog: kubernetes-sigs/controller-runtime@v0.22.3...v0.22.4

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 10 additional dependencies were updated

Details:

Package	Change
github.com/docker/docker	v28.3.3+incompatible -> v28.5.1+incompatible
github.com/testcontainers/testcontainers-go	v0.39.0 -> v0.40.0
golang.org/x/crypto	v0.41.0 -> v0.43.0
golang.org/x/mod	v0.27.0 -> v0.28.0
golang.org/x/net	v0.43.0 -> v0.45.0
golang.org/x/sync	v0.16.0 -> v0.17.0
golang.org/x/sys	v0.36.0 -> v0.37.0
golang.org/x/term	v0.34.0 -> v0.36.0
golang.org/x/text	v0.28.0 -> v0.30.0
golang.org/x/tools	v0.36.0 -> v0.37.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.19%. Comparing base (2e7dfc6) to head (77b60ee).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1238      +/-   ##
==========================================
+ Coverage   74.10%   74.19%   +0.09%     
==========================================
  Files          30       30              
  Lines        3306     3306              
==========================================
+ Hits         2450     2453       +3     
+ Misses        690      688       -2     
+ Partials      166      165       -1     

Flag	Coverage Δ
integration-tests	59.56% <ø> (+0.09%)	⬆️
unit-tests	60.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.