build: bump runc to v1.2.8 by rloomba · Pull Request #10791 · lightningnetwork/lnd

rloomba · 2026-05-05T18:19:15Z

Change Description

Bump github.com/opencontainers/runc to v1.2.8 in the root, sqldb, and sqldb/v2 modules.

This updates runc to the patched version for the following CVEs:

Steps to Test

Run the following compile-only checks:

go test -run '^$' ./batch ./invoices ./chainparams ./payments/db ./payments/db/migration1 ./graph/db ./graph/db/migration1

cd sqldb
go test -run '^$' ./...

cd sqldb/v2
go test -run '^$' ./...

Pull Request Checklist

Testing

Your PR passes all CI checks.
Tests covering the positive and negative (error paths) are included.
Bug fixes contain tests triggering the bug to prevent regressions.

Code Style and Documentation

The change is not insubstantial (https://github.com/lightningnetwork/lnd/blob/master/docs/code_contribution_guidelines.md#substantial-contributions-only). Typo fixes are not accepted to
fight bot spam.
The change obeys the Code Documentation and Commenting (https://github.com/lightningnetwork/lnd/blob/master/docs/development_guidelines.md#code-documentation-and-commenting) guidelines,
and lines wrap at 80.
Commits follow the Ideal Git Commit Structure (https://github.com/lightningnetwork/lnd/blob/master/docs/development_guidelines.md#ideal-git-commit-structure).
Any new logging statements use an appropriate subsystem and logging level.
Any new lncli commands have appropriate tags in the comments for the rpc in the proto file.
There is a change description in the release notes (https://github.com/lightningnetwork/lnd/tree/master/docs/release-notes), or [skip ci] in the commit message for small changes.

gemini-code-assist · 2026-05-05T18:19:26Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a security-focused dependency update, primarily targeting the runc library to mitigate identified vulnerabilities. It ensures that the project's container runtime dependencies are patched and brings other related modules up to date to maintain overall project health and security posture.

Highlights

Security Update: Bumped github.com/opencontainers/runc to v1.2.8 to address CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881.
Dependency Management: Updated various dependencies across root, sqldb, and sqldb/v2 modules, including urfave/cli, sirupsen/logrus, and golang.org/x/net.
Documentation: Added a note regarding the runc security update to the release notes for 0.22.0.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

github-actions · 2026-05-05T18:20:54Z

🟠 PR Severity: HIGH

Automated classification | 7 files | 83 lines changed

🟠 High (4 files)

sqldb/go.mod - dependency update for sqldb module (sqldb/*)
sqldb/go.sum - lockfile for sqldb module dependencies (sqldb/*)
sqldb/v2/go.mod - dependency update for sqldb/v2 module (sqldb/*)
sqldb/v2/go.sum - lockfile for sqldb/v2 module dependencies (sqldb/*)

🟡 Medium (2 files)

go.mod - root module dependency update
go.sum - root module lockfile update

🟢 Low (1 file)

docs/release-notes/release-notes-0.22.0.md - release notes documentation

Analysis

This PR updates Go module dependencies, primarily for the sqldb and sqldb/v2 submodules along with the root module. The sqldb/* path maps to the HIGH severity tier per classification rules, as it covers database-related packages used for persistent storage.

The changes are dependency/lockfile updates (go.mod/go.sum), which are typically low-risk in isolation, but dependency changes to the sqldb module warrant knowledgeable review to ensure no regressions are introduced in the database layer. A reviewer should verify that the updated dependencies do not introduce breaking API changes or known vulnerabilities.

No bump rules triggered: 7 files (threshold: >20), 83 lines changed (threshold: >500), and no multiple distinct critical packages touched.

_{To override, add a severity-override-{critical,high,medium,low} label.}

gemini-code-assist

Code Review

This pull request updates several dependencies, primarily runc to v1.2.8 to address security vulnerabilities. Other updates include logrus, go-systemd, and urfave/cli. Feedback was provided questioning the validity of the 2025 CVE years mentioned in the release notes.

gemini-code-assist · 2026-05-05T18:21:38Z

 ## Code Health

+* Updated `github.com/opencontainers/runc` to `v1.2.8`, which includes
+  fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881.


The CVE years appear to be incorrect. CVEs are typically assigned for the current year or past years, but 2025 is in the future. Please verify the correct CVE numbers for this runc update.

rloomba · 2026-05-12T23:36:52Z

@rloomba, remember to re-request review from reviewers when ready

Hi @bhandras, any thoughts on this PR?

lightninglabs-deploy · 2026-06-03T01:25:01Z

@rloomba, remember to re-request review from reviewers when ready

bhandras

Can you pls bump runc in kvdb too?
LGTM, thank you!

bhandras · 2026-06-04T15:47:46Z

Needs rebase.

rloomba · 2026-06-05T16:07:26Z

Can you pls bump runc in kvdb too? LGTM, thank you!

addressed in 87edd50

ziggie1984

Had some style comments and please drop the release notes, it creates unnecessary noise for the user.

Can you also next time describe how you analyse these vulnerabilities, basically which tool you used. Moreover can you also next time evaluate the severity of this so the reviewer knows immediately how to treat this vulnerability bump.

Analysis of the vulnerability:

GO-2025-4098 / CVE-2025-52881 is a runc bug where a malicious container setup with shared mounts can race /proc writes, potentially causing container escape or DoS. In LND it is pulled in through dockertest for the Postgres test fixture, which starts a fixed postgres:11 container configuration. LND does not use this in normal runtime code, so realistic exposure is limited to someone influencing the test container/image or Docker environment.

  Govulncheck analysis:

  govulncheck ./...

Before the bump it reports vulnerable github.com/opencontainers/runc; after runc v1.2.8, GO-2025-4098 disappears. Use the default symbol scan for relevance; -scan=module is broader and noisier.

ziggie1984 · 2026-06-05T22:29:38Z

 	modernc.org/sqlite v1.38.2
 )

+require github.com/kr/pretty v0.3.1 // indirect


why is this in its own block ? Lets move it to the other dependencies so it looks prettier

ziggie1984 · 2026-06-06T02:03:34Z


 ## Code Health

+* Updated `github.com/opencontainers/runc` to `v1.2.8`, which includes


I think we should drop the release notes entry for this bump. The affected dependency is pulled in through the Docker-based SQL/Postgres test harness (dockertest), not through normal lnd runtime behavior. So while bumping runc is fine dependency hygiene, listing it in the user-facing release notes may imply that the main lnd software itself was meaningfully affected by these CVEs, which is not the case

ziggie1984 · 2026-06-06T02:32:57Z

 )

-require github.com/btcsuite/btcd/v2transport v1.0.1 // indirect
+require (


let's move this block also to the other direct dependecies

github-actions Bot added the severity-high Requires knowledgeable engineer review label May 5, 2026

gemini-code-assist Bot reviewed May 5, 2026

View reviewed changes

rloomba mentioned this pull request May 5, 2026

sqldb: gate postgres fixtures behind build tag #10792

Open

9 tasks

bhandras approved these changes Jun 4, 2026

View reviewed changes

rloomba force-pushed the rloomba/bump-runc branch from 8b2a9c8 to 87edd50 Compare June 5, 2026 16:05

rloomba requested a review from bhandras June 5, 2026 16:07

bhandras approved these changes Jun 5, 2026

View reviewed changes

bhandras requested a review from ziggie1984 June 5, 2026 16:09

saubyk assigned rloomba Jun 5, 2026

ziggie1984 requested changes Jun 6, 2026

View reviewed changes

build: bump runc to v1.2.8

55b362e

rloomba force-pushed the rloomba/bump-runc branch from 87edd50 to 55b362e Compare June 6, 2026 05:28

rloomba requested a review from ziggie1984 June 6, 2026 05:29


		## Code Health

		* Updated `github.com/opencontainers/runc` to `v1.2.8`, which includes

Conversation

rloomba commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Change Description

Steps to Test

Pull Request Checklist

Testing

Code Style and Documentation

Uh oh!

gemini-code-assist Bot commented May 5, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

github-actions Bot commented May 5, 2026

🟠 PR Severity: HIGH

Analysis

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist Bot May 5, 2026

Choose a reason for hiding this comment

Uh oh!

rloomba commented May 12, 2026

Uh oh!

lightninglabs-deploy commented Jun 3, 2026

Uh oh!

bhandras left a comment

Choose a reason for hiding this comment

Uh oh!

bhandras commented Jun 4, 2026

Uh oh!

rloomba commented Jun 5, 2026

Uh oh!

ziggie1984 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ziggie1984 Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

ziggie1984 Jun 6, 2026

Choose a reason for hiding this comment

Uh oh!

ziggie1984 Jun 6, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

rloomba commented May 5, 2026 •

edited

Loading

ziggie1984 left a comment •

edited

Loading