🌱 bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible

[mboersma]

What this PR does / why we need it:

Bumps github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible.

Dependabot will probably get around to this, but I wanted to update it because it's problematic for CAPZ incorporating CAPI v1.7.0-beta.0. Docker becomes an indirect import in CAPZ, and then our dependency checker fails:

Which issue(s) this PR fixes:

See GHSA-mq39-4gv4-mvpx
See kubernetes-sigs/cluster-api-provider-azure#4646

/area dependency
/area security

[mboersma]

/cc @nawazkh

[nawazkh]

Thank you for identifying this @mboersma
/cc @kubernetes-sigs/cluster-api-release-team This should have been fixed by dependabot, do we know why it was missed?

[nawazkh]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: b5fda7c1f69f27af4cf3e4ff150a5be7d994ca5a

[killianmuldoon]

/lgtm

[nawazkh]

Thank you for identifying this @mboersma /cc @kubernetes-sigs/cluster-api-release-team This should have been fixed by dependabot, do we know why it was missed?

I did a high-level triage. I don't see anything blocking Dependabot on fixing this CVE(as per dependabot's config at the root/.github folder). As Matt said, dependabot would have come around this eventually to fix the CVE.

[kranurag7]

@mboersma thank you for the patch, we had the same alert via dependabot on an infra provider repository. Is there a reason not to directly update to 26.0.0 in this case.

This should have been fixed by dependabot, do we know why it was missed?

I think this is a repository settings and maybe we don't have it enabled for this repository.

Details

[sbueringer]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cahillsf]

@sbueringer 👋 you see any issues with backporting this to release-1.5 and release-1.6 branches to address the failing security scans? https://github.com/kubernetes-sigs/cluster-api/actions/runs/8419719374/job/23052938757

[sbueringer]

No that's fine, might need manual cherry-picks though

[sbueringer]

/cherry-pick release-1.6

[sbueringer]

/cherry-pick release-1.5

[k8s-infra-cherrypick-robot]

@sbueringer: #10302 failed to apply on top of branch "release-1.6":

Applying: (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
Using index info to reconstruct a base tree...
M	hack/tools/go.mod
M	hack/tools/go.sum
M	test/go.mod
M	test/go.sum
Falling back to patching base and 3-way merge...
Auto-merging test/go.sum
CONFLICT (content): Merge conflict in test/go.sum
Auto-merging test/go.mod
CONFLICT (content): Merge conflict in test/go.mod
Auto-merging hack/tools/go.sum
CONFLICT (content): Merge conflict in hack/tools/go.sum
Auto-merging hack/tools/go.mod
CONFLICT (content): Merge conflict in hack/tools/go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: #10302 failed to apply on top of branch "release-1.5":

Applying: (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
Using index info to reconstruct a base tree...
M	hack/tools/go.mod
M	hack/tools/go.sum
M	test/go.mod
M	test/go.sum
Falling back to patching base and 3-way merge...
Auto-merging test/go.sum
CONFLICT (content): Merge conflict in test/go.sum
Auto-merging test/go.mod
CONFLICT (content): Merge conflict in test/go.mod
Auto-merging hack/tools/go.sum
CONFLICT (content): Merge conflict in hack/tools/go.sum
Auto-merging hack/tools/go.mod
CONFLICT (content): Merge conflict in hack/tools/go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

@cahillsf Let's try to stay on the same docker major version when we open PRs for 1.6 & 1.5