chore(deps): update docker-model-cli to v1.1.38

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
docker-model-cli	patch	1.1.37 → 1.1.38

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

docker/model-runner (docker-model-cli)

v1.1.38: Docker Model Runner v1.1.38

Compare Source

What's Changed

🐛 Bug Fixes

• fix: pass chat template to vllm-metal backend (#​880) @​ilopezluna
• fix: install llama-common DLL on Windows shared builds (#​878) @​ilopezluna

Full Changelog: docker/model-runner@v1.1.37...v1.1.38

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/docker-model-cli:1.1.38

📦 Image Reference ghcr.io/uniget-org/tools/docker-model-cli:1.1.38

digest	sha256:6bc7f64d3ef7d7150e74f5859c8b9ac7626b7d3a261c2e0dfe84d5f65f638936
vulnerabilities
platform	linux/amd64
size	10 MB
packages	132

github.com/docker/cli 29.4.0+incompatible (golang) pkg:golang/github.com/docker/cli@29.4.0%2Bincompatible Affected range >=19.03.0+incompatible Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 6th percentile Description Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

go.opentelemetry.io/otel/sdk 1.41.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.41.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.008% EPSS Percentile 1st percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.