chore(deps): bump the go_modules group across 1 directory with 9 updates

[dependabot]

Bumps the go_modules group with 9 updates in the / directory:

Package	From	To
github.com/babylonlabs-io/babylon/v4	4.0.0	4.2.0
github.com/docker/docker	25.0.6+incompatible	25.0.13+incompatible
github.com/go-viper/mapstructure/v2	2.2.1	2.4.0
github.com/golang-jwt/jwt/v4	4.5.1	4.5.2
github.com/hashicorp/go-getter	1.7.8	1.7.9
github.com/jackc/pgx/v5	5.3.1	5.5.4
github.com/opencontainers/runc	1.1.14	1.2.8
github.com/ulikunitz/xz	0.5.11	0.5.14
golang.org/x/crypto	0.41.0	0.45.0

Updates github.com/babylonlabs-io/babylon/v4 from 4.0.0 to 4.2.0

Release notes

Sourced from github.com/babylonlabs-io/babylon/v4's releases.

v4.2.0

🚀 Overview

Version v4.2.0

📄 Changelog

You can view the complete changelog here

🏗️ Binaries

If you prefer to build from source, use the following commands:

git clone https://github.com/babylonlabs-io/babylon.git
cd babylon
git checkout v4.2.0
# Only use the below command for mainnet
make build
# Only use the below command for testnet
BABYLON_BUILD_OPTIONS="testnet" make build

🐳 Docker Image

Image	Description
babylonlabs/babylond:v4.2.0	Mainnet image
babylonlabs/babylond:v4.2.0-testnet	Testnet image

v4.1.0

What's Changed

• fix(vote-ext): add unkown fields check (backport GHSA-2fcv-qww3-9v6h) by @​GAtom22 in babylonlabs-io/babylon#1873
• crypto: ensure BIP-322 signatures are using SIGHASH_ALL or SIGHASH_DEFAULT by @​SebastianElvis in https://github.com/babylonlabs-io/babylon/tree/6e8bdd328a47343fcd7ad98d1b0c7267860b019a

Full Changelog: babylonlabs-io/babylon@v4.0.0...v4.1.0

Changelog

Sourced from github.com/babylonlabs-io/babylon/v4's changelog.

v4.2.0

Bug Fixes

• GHSA-m6wq-66p2-c8pc fix: nil check of block hash in vote extension
• GHSA-4rmq-mc2c-r495 Fix conditional logic in AfterBtcDelegationUnbonded hook

v4.1.0

Bug fixes

• GHSA-2fcv-qww3-9v6h Add unkown fields check on vote extension validation
• GHSA-xq4h-wqm2-668w crypto: ensure BIP-322 signatures are using SIGHASH_ALL or SIGHASH_DEFAULT

Commits

• e65c3a5 chore: backport sec adv costk (#1890)
• f79ad58 chore: backport sec adv blk (#1889)
• 0b17a7f Bump reusable workflows version (#1859) (#1872)
• 6e8bdd3 Merge commit from fork
• fd0e8fa fix(vote-ext): add unkown fields check (backport GHSA-2fcv-qww3-9v6h) (#1873)
• See full diff in compare view

Updates github.com/docker/docker from 25.0.6+incompatible to 25.0.13+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v25.0.13

25.0.13

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.13 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Prevent restoration of iptables rules for deleted networks and containers on firewalld reload. moby/moby#50445
• Fix Swarm services becoming unreachable from published ports after a firewalld reload. moby/moby#50445
• Improve the reliability of the Swarm overlay network control plane by fixing longstanding issues with NetworkDB. moby/moby#50511
• Improve the reliability of Swarm overlay container networks by fixing longstanding issues with the overlay network driver. moby/moby#50551

v25.0.12

25.0.12

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.12 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50203
• Fix an issue which made DNS service discovery for Swarm services unreliable. moby/moby#50230

Packaging updates

• Update Go toolchain to go1.23.9. moby/moby#50053

v25.0.11

25.0.11

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.11 milestone
• Changes to the Engine API, see API version history.

Networking

• [25.0] Backport network fixes by @​dperny in moby/moby#50005

Known Issues

• Some Swarm services are not discoverable over DNS moby/moby#50129

Full Changelog: moby/moby@v25.0.10...v25.0.11

v25.0.10

25.0.10

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

... (truncated)

Commits

• 165516e Merge pull request #50551 from corhere/backport-25.0/libn/all-the-overlay-fixes
• f099e91 libnetwork: handle coalesced endpoint events
• bace1b8 libnetwork/d/overlay: handle coalesced peer updates
• f9e5429 libn/d/win/overlay: dedupe NetworkDB definitions
• fc3df55 libn/d/overlay: extract hashable address types
• b22872a libnetwork/driverapi: make EventNotify optional
• c7e17ae libn/networkdb: report prev value in update events
• d60c71a libnetwork/d/overlay: fix logical race conditions
• ad54b8f libn/d/overlay: fix encryption race conditions
• 8075689 libn/d/overlay: inline secMapWalk into only caller
• Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

• refactor: replace interface{} with any by @​sagikazarmark in go-viper/mapstructure#115
• build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @​dependabot[bot] in go-viper/mapstructure#114
• Generic tests by @​sagikazarmark in go-viper/mapstructure#118
• Fix godoc reference link in README.md by @​peczenyj in go-viper/mapstructure#107
• feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @​ErfanMomeniii in go-viper/mapstructure#117
• feat: add back previous StringToSlice as a weak function by @​sagikazarmark in go-viper/mapstructure#119

New Contributors

• @​ErfanMomeniii made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in go-viper/mapstructure#46
• build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in go-viper/mapstructure#47
• [enhancement] Add check for reflect.Value in ComposeDecodeHookFunc by @​mahadzaryab1 in go-viper/mapstructure#52
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot in go-viper/mapstructure#51
• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot in go-viper/mapstructure#50
• build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot in go-viper/mapstructure#55
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot in go-viper/mapstructure#58
• ci: add Go 1.24 to the test matrix by @​sagikazarmark in go-viper/mapstructure#74
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by @​dependabot in go-viper/mapstructure#72
• build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in go-viper/mapstructure#76
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in go-viper/mapstructure#78
• feat: add decode hook for netip.Prefix by @​tklauser in go-viper/mapstructure#85
• Updates by @​sagikazarmark in go-viper/mapstructure#86
• build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by @​dependabot in go-viper/mapstructure#87
• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in go-viper/mapstructure#93
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by @​dependabot in go-viper/mapstructure#92
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by @​dependabot in go-viper/mapstructure#97
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot in go-viper/mapstructure#96
• Update README.md by @​peczenyj in go-viper/mapstructure#90
• Add omitzero tag. by @​Crystalix007 in go-viper/mapstructure#98
• Use error structs instead of duplicated strings by @​m1k1o in go-viper/mapstructure#102
• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot in go-viper/mapstructure#101
• feat: add common error interface by @​sagikazarmark in go-viper/mapstructure#105
• update linter by @​sagikazarmark in go-viper/mapstructure#106
• Feature allow unset pointer by @​rostislaved in go-viper/mapstructure#80

New Contributors

• @​tklauser made their first contribution in go-viper/mapstructure#85
• @​peczenyj made their first contribution in go-viper/mapstructure#90
• @​Crystalix007 made their first contribution in go-viper/mapstructure#98
• @​rostislaved made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

Commits

• b9794a5 Merge pull request #119 from go-viper/string-to-weak-slice
• 17cdcb0 feat: add back previous StringToSlice as a weak function
• 3caca36 Merge pull request #117 from ErfanMomeniii/main
• 9a861bc Merge pull request #107 from peczenyj/patch-2
• 86ed5b5 refactor: update
• ace5b4e chore: add interface any linter
• 1a4f1ae Merge pull request #118 from go-viper/generic-tests
• a268909 fix: lint
• 17f1fd4 test: add more comments
• b48c856 test: expand tests
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

Commits

• 2f0e9ad Backporting 0951d18 to v4
• See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.7.8 to 1.7.9

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.9

What's Changed

• Speed up XZ decompression by 5x with bufio wrapper by @​vsarunas in hashicorp/go-getter#520
• Fix CI Workflow by @​mohanmanikanta2299 in hashicorp/go-getter#522
• test: Remove use of "mitchellh/go-testing-interface" for stdlib by @​jrasell in hashicorp/go-getter#523
• fix: url redact of multiple sshkey by @​dduzgun-security in hashicorp/go-getter#528
• Publish arm binaries by @​sethvargo in hashicorp/go-getter#525
• fix errcheck lint errors and run it as part of pr checks by @​abhijeetviswa in hashicorp/go-getter#530
• fix additional lint errors and increase linter scope by @​abhijeetviswa in hashicorp/go-getter#531
• IND-3728 enabling dependabot by @​KaushikiAnand in hashicorp/go-getter#529
• fix: go-getter subdir paths by @​dduzgun-security in hashicorp/go-getter#540

New Contributors

• @​vsarunas made their first contribution in hashicorp/go-getter#520
• @​jrasell made their first contribution in hashicorp/go-getter#523
• @​sethvargo made their first contribution in hashicorp/go-getter#525
• @​abhijeetviswa made their first contribution in hashicorp/go-getter#530
• @​KaushikiAnand made their first contribution in hashicorp/go-getter#529

Full Changelog: hashicorp/go-getter@v1.7.8...v1.7.9

Commits

• e702211 Merge pull request #532 from hashicorp/dependabot/github_actions/actions-8948...
• df0a14f [chore] : Bump the actions group with 8 updates
• 87541b2 fix: go-getter subdir paths (#540)
• 3713030 [Compliance] - PR Template Changes Required
• af2dd3c Merge pull request #529 from hashicorp/dependabot-intge
• bf52629 updating dependabot.yml
• 1f63e10 changelog added, updated dependabot.yaml
• 45af459 fix additional lint errors and increase linter scope
• c8c6aba fix errcheck lint errors and run it as part of pr checks
• 9b76f98 copywrite header added
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.3.1 to 5.5.4

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.5.4 (March 4, 2024)

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

• Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)
• Fix simple protocol encoding of json.RawMessage
• Fix *Pipeline.getResults should close pipeline on error
• Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)
• Fix deallocation of invalidated cached statements in a transaction
• Handle invalid sslkey file
• Fix scan float4 into sql.Scanner
• Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.

5.5.3 (February 3, 2024)

• Fix: prepared statement already exists
• Improve CopyFrom auto-conversion of text-ish values
• Add ltree type support (Florent Viel)
• Make some properties of Batch and QueuedQuery public (Pavlo Golub)
• Add AppendRows function (Edoardo Spadolini)
• Optimize convert UUID [16]byte to string (Kirill Malikov)
• Fix: LargeObject Read and Write of more than ~1GB at a time (Mitar)

5.5.2 (January 13, 2024)

• Allow NamedArgs to start with underscore
• pgproto3: Maximum message body length support (jeremy.spriet)
• Upgrade golang.org/x/crypto to v0.17.0
• Add snake_case support to RowToStructByName (Tikhon Fedulov)
• Fix: update description cache after exec prepare (James Hartig)
• Fix: pipeline checks if it is closed (James Hartig and Ryan Fowler)
• Fix: normalize timeout / context errors during TLS startup (Samuel Stauffer)
• Add OnPgError for easier centralized error handling (James Hartig)

5.5.1 (December 9, 2023)

• Add CopyFromFunc helper function. (robford)
• Add PgConn.Deallocate method that uses PostgreSQL protocol Close message.
• pgx uses new PgConn.Deallocate method. This allows deallocating statements to work in a failed transaction. This fixes a case where the prepared statement map could become invalid.
• Fix: Prefer driver.Valuer over json.Marshaler for json fields. (Jacopo)
• Fix: simple protocol SQL sanitizer previously panicked if an invalid $0 placeholder was used. This now returns an error instead. (maksymnevajdev)
• Add pgtype.Numeric.ScanScientific (Eshton Robateau)

5.5.0 (November 4, 2023)

... (truncated)

Commits

• da6f2c9 Update changelog
• c543134 SQL sanitizer wraps arguments in parentheses
• 20344df Check for overflow on uint16 sizes in pgproto3
• adbb38f Do not allow protocol messages larger than ~1GB
• c1b0a01 Fix behavior of CollectRows to return empty slice if Rows are empty
• 88dfc22 Fix simple protocol encoding of json.RawMessage
• 2e84dcc *Pipeline.getResults should close pipeline on error
• d149d3f Fix panic in TryFindUnderlyingTypeScanPlan
• 046f497 deallocateInvalidatedCachedStatements now runs in transactions
• 8896bd6 Handle invalid sslkey file
• Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.1.14 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.4.0-rc.2] - 2025-10-10

私の役目は信じるかどうかではない。行うかどうかだ。

libcontainer API

• The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead. (#4910, #4911)

Added

• Allow setting user.* sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (#4889, #4892)
• Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when configuring the runc exec process. This also included some internal changes to how we add processes to containers. (#4822, #4812, #4920)
• Add support for configuring the NUMA pmemory policy for a container with set_mempolicy(2)opencontainers/runtime-spec#1282#4726, #4915)

... (truncated)

Commits

• eeb7e60 VERSION: release v1.2.8
• cdee962 merge private security patches into ghsa-release-1.2.8
• b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
• ee56b85 openat2: improve resilience on busy systems
• 2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
• 99e41a5 ci: only run lint-extra job on PRs to main
• f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
• 8f90185 selinux: use safe procfs API for labels
• 948d6e9 rootfs: switch to fd-based handling of mountpoint targets
• 7aa42ad libct: align param type for mountCgroupV1/V2 functions
• Additional commits viewable in compare view

Updates github.com/ulikunitz/xz from 0.5.11 to 0.5.14

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• 4f11dce Update README.md and SECURITY.md to address security questions
• f56ebbf TODO.md: fix a typo
• See full diff in compare view

Updates golang.org/x/crypto from 0.41.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.