Bump github.com/opencontainers/runc from 1.4.2 to 1.5.0

[dependabot]

Bumps github.com/opencontainers/runc from 1.4.2 to 1.5.0.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.5.0 -- "Why do we even have that lever?!"

This is the somewhat-delayed^Wlong-awaited first stable release of the 1.5.z release branch of runc. It contains a handful of fixes for issues found in 1.5.0-rc.3 and an important dependency bump for libpathrs.

This is the third release of runc following our new release and support policy (see RELEASES.md for more details). This means that, as of this release:

• The runc 1.2.z (and earlier) release branches are now completely unsupported.
• The runc 1.3.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of October 2026).
• The runc 1.4.z release branch will now only recieve security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.5.0 as soon as possible.
• Despite this release being delayed by over a month, users should still expect a runc 1.6.0 release in late October 2026.

Added

• runc version and runc features now provide version information about libpathrs (when runc is built with the libpathrs build tag). (#5291, #5328)

Fixed

• Since runc 1.3.0, the org.opencontainers.runc.version annotation included in runc features contained an extraneous \n, possibly causing issues with tools that parse the output. It is now properly stripped. (#5329, #5330, #5331, #5335)

Changed

• runc (when built with the libpathrs build tag) now depends on libpathrs v0.2.5 or later, and attempting to build with older versions will cause compilation errors. (#5291, #5328)
• Switched to go-criu v8.3.0, which reduces our binary size from ~16MB to ~14MB. (#5312, #5326)

Static Linking Notices

The runc binaries distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

Changelog

This file documents all notable changes made to this project since runc 1.0.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Fixed

• The poststart hooks are now executed after starting the user-specified process, fixing a runtime-spec conformance issue. (#4347, #5186)

Added

• runc version and runc features now provide version information about libpathrs when runc is built with the libpathrs build tag. (#5291)

Changed

• runc now depends on libpathrs v0.2.5 or later, and attempting to build with older versions will cause compilation errors. (#5291)

[1.5.0-rc.3] - 2026-06-13

The best way to get a drink out of a Vogon is to stick your finger down his throat.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

libcontainer API

• The cmsg helpers from github.com/opencontainers/runc/libcontainer/utils have been moved to an internal package. We have included wrapper functions but they will be removed in runc 1.6. (#5227, #5231)
• Added //go:fix inline to ease migration for libcontainer/devices symbols that are deprecated and scheduled for removal in runc 1.6. (#5223, #5225)

Fixed

• runc list now correctly handles non-existent --root arguments. (#5297,

... (truncated)

Commits

• c4bb595 VERSION: release v1.5.0
• fabada3 Merge pull request #5335 from AkihiroSuda/cherrypick-5330-1.5
• c8a2d9b features: propagate version from the root urfave/cli command
• 8e155ff Merge pull request #5328 from cyphar/1.5-libpathrs-0.2.5-5921
• 3c2913c runc: add libpathrs info to --version and features
• aba980f deps: update to libpathrs v0.2.5
• 778bd25 Merge pull request #5326 from kolyshkin/1.5-5312
• cc3c5c1 deps: bump to go-criu v8.3.0
• 750317a deps: bump go-criu to v8.2.0
• 8ac0bc0 CHANGELOG: fix codespell
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)