Skip to content

chore(deps): drop explicit docker/docker pin#584

Closed
dorothyyzh wants to merge 1 commit into
masterfrom
fix/drop-docker-docker-2026-05-13
Closed

chore(deps): drop explicit docker/docker pin#584
dorothyyzh wants to merge 1 commit into
masterfrom
fix/drop-docker-docker-2026-05-13

Conversation

@dorothyyzh
Copy link
Copy Markdown
Contributor

@dorothyyzh dorothyyzh commented May 13, 2026

Summary

  • Drops the explicit github.com/docker/docker v28.5.2+incompatible // indirect pin from go.mod
  • Runs go mod tidy so MVS resolves dependencies naturally without the explicit pin
  • Resolves CVE-2026-33997 and CVE-2026-34040 by removing the vulnerable docker/docker dependency

Background

PR#581 already migrated gormx from docker/docker to moby/moby/api. However, go.mod on master still had the explicit docker/docker pin because go-bus and ratelimiter transitively required older versions of it, and go mod tidy had pinned it explicitly.

After dropping the explicit pin and running go mod tidy, docker/docker no longer appears in go.mod at all, confirming no direct or transitive dependency requires it.

Test plan

  • go mod edit -droprequire github.com/docker/docker — removes the explicit pin
  • go mod tidy — completes without re-adding docker/docker
  • grep "docker/docker" go.mod — returns nothing (dependency is gone)
  • go build ./... — passes with no errors

🤖 Generated with Claude Code

@claude
chore(deps): drop explicit docker/docker pin, resolves CVE-2026-33997
e98352a 
…and CVE-2026-34040

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dorothyyzh dorothyyzh closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dorothyyzh