Skip to content

filepath-securejoin v0.5.0 contains MPL-2.0 code which is not allowed per CNCF rules #9518

New issue
New issue
Open
Open
filepath-securejoin v0.5.0 contains MPL-2.0 code which is not allowed per CNCF rules#9518
Labels
lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@Luap99

Description

@Luap99
Luap99
opened on Oct 20, 2025

github.com/cyphar/filepath-securejoin v0.5.0 added MPL-2.0 code which is not allowed in the CNCF license rules by default and requires an exception, see cncf/foundation#1154

We are holding the update in podman, buildah and in our storage library to avoid the bump for now, containers/container-libs#359.

Looks like it was bumped in cadcf47 here, you may need to revert it until it gets an exception.

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions