[dev] Update workspace libraries to match kubernetes (containerd, runc, buildkit)

[geropl]

Description

Motivation to bump this particular set of libraries:

• we need to stay within supported versions range of kubernetes (EKS)
• because when we bump kubernetes, we also need to bump containerd on the AMI, for it to stay compatible
• that's why we need to bump containerd client libs (runc, buildkit) to stay within those range

Reasoning for the specific versions: https://linear.app/gitpod/issue/CLC-982/update-containerd-to-latest-patch-16x-k8s-and-runc-libs-in-gitpod-mono#comment-d5450e2c

Related Issue(s)

Fixes CLC-982

How to test

• Manual (fuse test) is actually covered by this integration test 💡
• workspace integration tests
  • blocked by [gha] Update actions/upload-artifact@v3 -> actions/upload-artifact@v4 #20529
  • 🟢 https://github.com/gitpod-io/gitpod/actions/runs/12824651572
• ephemeral cluster / catfood + loadgen

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - gpl-982-upc080e1a2ff
• 🔗 URL - gpl-982-upc080e1a2ff.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - gpl-982-update-deps-2-gha.31004
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
golang/github.com/containerd/[email protected]	environment, filesystem, network, shell, unsafe	0	8.07 MB
golang/github.com/distribution/[email protected]	None	0	128 kB
golang/github.com/moby/[email protected] 🔁 golang/github.com/moby/[email protected]	None	0	5.24 MB
golang/github.com/opencontainers/[email protected] 🔁 golang/github.com/opencontainers/[email protected], golang/github.com/opencontainers/[email protected], golang/github.com/opencontainers/[email protected]	None	0	356 kB
golang/github.com/opencontainers/[email protected] 🔁 golang/github.com/opencontainers/[email protected], golang/github.com/opencontainers/[email protected]	None	0	1.86 MB
golang/github.com/prometheus/[email protected] 🔁 golang/github.com/prometheus/[email protected]	None	0	1.08 MB
golang/github.com/spf13/[email protected] 🔁 golang/github.com/spf13/[email protected]	None	0	661 kB
golang/golang.org/x/[email protected] 🔁 golang/golang.org/x/[email protected], golang/golang.org/x/[email protected]	None	0	9.01 MB
golang/helm.sh/helm/[email protected] 🔁 golang/helm.sh/helm/[email protected]	None	0	2.6 MB

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	golang/github.com/moby/[email protected]	CVE: GHSA-4v98-7qmw-rqr8 BuildKit vulnerable to possible host system access from mount stub cleaner (CRITICAL) Affected versions: < 0.12.5 Patched version: 0.12.5	components/image-builder-bob/go.mod	⚠︎
Critical CVE	golang/github.com/moby/[email protected]	CVE: GHSA-wr6v-9f75-vh2g Buildkit's interactive containers API does not validate entitlements check (CRITICAL) Affected versions: < 0.12.5 Patched version: 0.12.5	components/image-builder-bob/go.mod	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore golang/github.com/moby/[email protected]

[geropl]

/unhold