chore(deps): update dependency portainer/portainer to v2.26.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
portainer/portainer	minor	2.25.1 -> 2.26.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

portainer/portainer (portainer/portainer)

v2.26.0

Compare Source

This is a STS (Short Term Support) release that includes all the changes added up to and including the 2.25.1 patch release as well as various fixes aimed at enhancing the stability and scalability of Portainer. For more details on what is included from the 2.25 release, refer to the 2.25 release notes.

Known issues

Known issues with Docker support

• Service pruning does not work with stacks using relative paths
• GitOps updates option is not visible when first deploying stacks from Git on Docker (but can be configured after the stack is deployed)

Known issues with Podman support

• Podman environments aren't supported by auto-onboarding script
• It's not possible to add Podman environments via socket, when running a Portainer server on Docker (and vice versa)
• Support for only CentOS 9, Podman 5 rootful

New in this release

• Added the ability to remove associated volumes when deleting a stack
• Improved the performance for edge:
  • Optimized AddEnvironmentToEdgeGroups()
  • Optimized the concurrent Edge Stack retrieval by the agent
  • Optimized the Edge Stack status update by the agent
• Fixed a goroutine leak in the Agent that would exhaust the resources over time
• Fixed Edge Stack status updates so that it doesn't cause wrong counts
• Updated compose-unpacker so it doesn't rely on the docker-compose binary
• Fixed data races:
  • GetPlatform()
  • Docker transport
  • Agent stack manager
  • Edge auto-onboarding
• Fixed the volume list retrieval and app template deployment when the environment snapshot doesn't exist
• Standardized the lower case string comparison method
• Fixed a problem that prevented the update of edge stacks when using webhooks with async environments
• Added a 30 minutes time interval to the OAuth session timeout options
• Added a new Kubernetes view for Jobs and Cron Jobs
• Fixed update create from file option order

Deprecated and removed features

Deprecated features

None

Removed features

None

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/portainer:2.26.0

📦 Image Reference ghcr.io/uniget-org/tools/portainer:2.26.0

digest	sha256:48d8bb6abb131c2dfde594c4cc76f6badbe6eccbdb7eef9395dfe550da889933
vulnerabilities
platform	linux/amd64
size	32 MB
packages	245

github.com/go-git/go-git/v5 5.11.0 (golang) pkg:golang/github.com/go-git/go-git/[email protected] Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affected range <5.13.0 Fixed version 5.13.0 CVSS Score 9.2 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear Description Impact An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. Affected versions Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us. Improper Input Validation Affected range <5.13.0 Fixed version 5.13.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. This is a go-git implementation issue and does not affect the upstream git cli. Patches Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers. Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

golang.org/x/net 0.29.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

github.com/golang-jwt/jwt/v4 4.5.0 (golang) pkg:golang/github.com/golang-jwt/jwt/[email protected] Improper Verification of Cryptographic Signature Affected range <4.5.1 Fixed version 4.5.1 CVSS Score 2.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Description Summary Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. Fix We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. Workaround We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. token, err := /* jwt.Parse or similar */ if token.Valid { fmt.Println("You look nice today") } else if errors.Is(err, jwt.ErrTokenMalformed) { fmt.Println("That's not even a token") } else if errors.Is(err, jwt.ErrTokenUnverifiable) { fmt.Println("We could not verify this token") } else if errors.Is(err, jwt.ErrTokenSignatureInvalid) { fmt.Println("This token has an invalid signature") } else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) { // Token is either expired or not active yet fmt.Println("Timing is everything") } else { fmt.Println("Couldn't handle this token:", err) }

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12779982120.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12779982120.