chore(deps): bump github.com/opencontainers/runc from 1.3.3 to 1.4.0

[dependabot]

Bumps github.com/opencontainers/runc from 1.3.3 to 1.4.0.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.4.0 -- "路漫漫其修远兮，吾将上下而求索！"

This is the first release of the 1.4.z release branch of runc. It contains a few fixes for issues found in 1.4.0-rc.3. This version of runc supports runtime-spec v1.3 (see [docs/spec-conformance.md][] for the few features that are still missing).

This is the second release of runc following our new release and support policy (see [RELEASES.md][] for more details). This means that, as of this release:

• The runc 1.2.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of April 2026).
• The runc 1.3.z release branch will now only receive security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as possible.
• Despite this release being delayed by a month, users should still expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our [CVE-2025-52881][] mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the [CVE-2025-52881][] mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.4.0] - 2025-11-27

路漫漫其修远兮，吾将上下而求索！

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our CVE-2025-52881 mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the CVE-2025-52881 mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink users. (#4985)

Changed

• libct: switch to (*CPUSet).Fill. (#4927)
• docs/spec-conformance.md: update for spec v1.3.0. (#4948)

[1.3.4] - 2025-11-27

Take me to your heart, take me to your soul.

Fixed

• libct: fix mips compilation. (#4962, #4966)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our

... (truncated)

Commits

• 8bd78a9 VERSION: release 1.4.0
• 7d84a12 Merge pull request #5005 from cyphar/1.4-hallucinated-paths
• c362d6b Merge pull request #5040 from cyphar/1.4-better-init-errors-4928
• f1d0dd8 runc create/run/exec: show fatal errors from init
• 4615662 libct/nsenter: better read/write errors
• c4a61c0 libct/nsenter: sprinkle missing sane_kill
• 493f1b1 libct/nsenter: add and use bailx
• 7f9fc53 libct/nsenter: save errno in sane_kill
• e18c06b Merge pull request #5041 from lifubang/backport-5014-fd-leaks-flake-1.4
• 5bb8987 libct/int: TestFdLeaks: deflake
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)