full diff: https://github.com/golang/crypto/compare/v0.44.0...v0.45.0
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/crypto in order to address two
security issues.
This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a
vulnerability in the golang.org/x/crypto/ssh/agent package which could cause
programs to consume unbounded memory or panic respectively.
SSH servers parsing GSSAPI authentication requests don't validate the number of
mechanisms specified in the request, allowing an attacker to cause unbounded
memory consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58181 and Go issue https://go.dev/issue/76363.
SSH Agent servers do not validate the size of messages when processing new
identity requests, which may cause the program to panic if the message is
malformed due to an out of bounds read.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-47914 and Go issue https://go.dev/issue/76364.
Cheers, Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Manually enumerate the combinations ((plugin|standalone), (version))
so that we can assign a predictable name ("stable", "oldstable") and
prevent having to update the branch-protection rules for each update
to mark the tests as required.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit adds a new LoadProject method to the Compose service API,
allowing SDK users to programmatically load Compose projects with full
control over the loading process.
Changes:
1. New API method (pkg/api/api.go):
- LoadProject(ctx, ProjectLoadOptions) (*types.Project, error)
- ProjectLoadOptions struct with all loader configuration
- LoadListener callback for event notifications (metrics, etc.)
- ProjectOptionsFns field for compose-go loader options
2. Implementation (pkg/compose/loader.go):
- createRemoteLoaders: Git and OCI remote loader setup
- buildProjectOptions: Translates ProjectLoadOptions to compose-go options
- postProcessProject: Service filtering, labels, resource pruning
3. Unit test (pkg/compose/loader_test.go):
- Tests basic project loading functionality
- Verifies ProjectOptionsFns with cli.WithoutEnvironmentResolution
4. Mock update (pkg/mocks/mock_docker_compose_api.go):
- Added LoadProject to mock interface
Key design decisions:
- LoadListener pattern keeps metrics collection in CLI, not SDK
- ProjectOptionsFns exposes compose-go options directly (e.g., cli.WithInterpolation(false))
- Post-processing in SDK: labels, service filtering, resource pruning
- Environment resolution NOT in SDK (command responsibility)
- Compatibility mode handling (api.Separator)
Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
Got these when running locally on a more recent version of golangci-lint:
pkg/compose/build_bake.go:187:3: importShadow: shadow of imported from 'github.com/docker/cli/cli/command/image/build' package 'build' (gocritic)
build := *service.Build
^
pkg/compose/build_bake.go:526:19: importShadow: shadow of imported from 'github.com/docker/cli/cli/command/image/build' package 'build' (gocritic)
func toBakeAttest(build types.BuildConfig) []string {
^
pkg/compose/create.go:1453:2: importShadow: shadow of imported from 'github.com/docker/docker/api/types/network' package 'network' (gocritic)
network string,
^
pkg/compose/create.go:1468:2: importShadow: shadow of imported from 'github.com/docker/docker/api/types/network' package 'network' (gocritic)
network string,
^
pkg/compose/monitor.go:42:17: importShadow: shadow of imported from 'github.com/docker/compose/v2/pkg/api' package 'api' (gocritic)
func newMonitor(api client.APIClient, project string) *monitor {
^
cmd/compose/config.go:337:1: File is not properly formatted (gofumpt)
return
^
pkg/compose/convergence.go:608:1: File is not properly formatted (gofumpt)
return
^
pkg/compose/cp.go:335:1: File is not properly formatted (gofumpt)
return
^
pkg/e2e/compose_up_test.go:35:10: go-require: c.RunDockerComposeCmd contains assertions that must only be used in the goroutine running the test function (testifylint)
res := c.RunDockerComposeCmd(t, "-f", "fixtures/dependencies/deps-completed-successfully.yaml", "--project-name", projectName, "up", "--wait", "-d")
^
pkg/e2e/healthcheck_test.go:42:10: go-require: c.RunDockerComposeCmd contains assertions that must only be used in the goroutine running the test function (testifylint)
res := c.RunDockerComposeCmd(t, "-f", "fixtures/start_interval/compose.yaml", "--project-name", projectName, "up", "--wait", "-d", "test")
^
10 issues:
* gocritic: 5
* gofumpt: 3
* testifylint: 2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
