CGA-xhgf-jfp5-fccj

The package's runtime uses github.com/docker/docker only as a service-discovery client (discovery/moby/.go), calling read-only metadata APIs (ContainerList, NetworkList, NodeList, ServiceList, TaskList). go list -deps confirms only api/types/ and client are linked into the binary; the daemon-side packages plugin/, pkg/authorization/, daemon/, and container/archive* where this vulnerability lives are not imported and therefore not present in the binary.

The vulnerable component is github.com/docker/docker. Per the GitHub Security Advisory at https://github.com/advisories/GHSA-vp62-88p7-qqf5, github.com/docker/docker is listed as affected with no published fixed version (vulnerable range <=28.5.2). The advisory's only patched entry is for the separate module path github.com/moby/moby/v2 @ 2.0.0-beta.8, which prometheus-2.51 does not vendor. Without an upstream release that fixes the github.com/docker/docker module path, this issue cannot be closed by routine dependency-bump automation. A pending-upstream-fix advisory event is justified: the issue should reflect that we are awaiting either upstream backporting the fix to the github.com/docker/docker module path, or the package migrating to github.com/moby/moby/v2.