Skip to content

build(deps): bump the k8s group across 1 directory with 4 updates #1376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
+72 −90
Open

build(deps): bump the k8s group across 1 directory with 4 updates #1376

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 24 additions & 28 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/openshift/oc-mirror/v2

go 1.24.3
go 1.25.0
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Go directive in go.mod:"
rg -n '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?' go.mod

echo
echo "Potential pinned Go versions in repo configs/images:"
rg -n --iglob '*Dockerfile*' --iglob '*.yaml' --iglob '*.yml' --iglob '*.md' \
  'GO_VERSION|golang:|go[ ="]1\.[0-9]+(\.[0-9]+)?'

Repository: openshift/oc-mirror

Length of output: 344

🏁 Script executed:

# Search for GitHub Actions and other CI workflow files with Go version pins
fd -e yaml -e yml . .github 2>/dev/null | head -20

# Also check for any other build-related configs
rg -n 'go[_-]?version|golang' --iglob '*.json' --iglob '*.yaml' --iglob '*.yml' -t yaml -t json

Repository: openshift/oc-mirror

Length of output: 50376

🏁 Script executed:

# Search for GitHub Actions workflows with Go versions
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | while read file; do
  echo "=== $file ==="
  rg -n 'go-version|go:' "$file" 2>/dev/null || echo "No Go version found"
done

# Also search for any remaining Go 1.23.5 references
echo
echo "=== All references to Go 1.23.5 ==="
rg -r 'go.*1\.23\.5|1\.23\.5' --max-count 20

Repository: openshift/oc-mirror

Length of output: 513

🏁 Script executed:

# Search for all Go version references correctly
echo "=== GitHub Actions workflows with Go versions ==="
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | head -5

echo
echo "=== References to Go 1.23.5 ==="
rg '1\.23\.5' -n

echo
echo "=== References to Go 1.25 ==="
rg '1\.25' -n

echo
echo "=== Any go-version references in CI/workflows ==="
rg 'go.version|go-version|GO_VERSION' -n --max-count 20

Repository: openshift/oc-mirror

Length of output: 2266

Update Dockerfile to use Go 1.25.0 to match go.mod requirement

The root Dockerfile pins GO_VERSION=go1.23.5 (line 28), which creates environment skew with the go.mod requirement of go 1.25.0. This will cause build failures when the PR is merged. Update the Dockerfile to use go1.25.0 or the appropriate 1.25.x patch version.

Note: The other Dockerfiles in images/cli/ (Dockerfile.ci, Dockerfile.art, Dockerfile.test) already reference golang-1.25 from their base builder images and do not have this issue.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The Dockerfile's GO_VERSION variable is pinned to go1.23.5
and must be updated to match go.mod's "go 1.25.0"; open the project's root
Dockerfile, find the GO_VERSION definition (symbol: GO_VERSION) and change its
value to go1.25.0 (or an appropriate 1.25.x patch) so the build environment
aligns with go.mod's Go version and avoids skew with the other images that
already use golang-1.25.


require (
github.com/Masterminds/semver/v3 v3.4.0
Expand All @@ -26,15 +26,15 @@ require (
go.podman.io/common v0.65.0
go.podman.io/image/v5 v5.37.0
go.podman.io/storage v1.60.0
golang.org/x/crypto v0.41.0
golang.org/x/crypto v0.44.0
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/term v0.34.0
golang.org/x/term v0.37.0
helm.sh/helm/v3 v3.18.6
k8s.io/api v0.33.4
k8s.io/apimachinery v0.33.4
k8s.io/client-go v0.33.4
k8s.io/kubectl v0.33.4
k8s.io/api v0.35.3
k8s.io/apimachinery v0.35.3
k8s.io/client-go v0.35.3
k8s.io/kubectl v0.35.3
sigs.k8s.io/yaml v1.6.0
)

Expand Down Expand Up @@ -82,7 +82,7 @@ require (
github.com/evanphx/json-patch v5.9.11+incompatible // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fxamacker/cbor/v2 v2.8.0 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.6.2 // indirect
Expand All @@ -97,13 +97,11 @@ require (
github.com/golang/mock v1.7.0-rc.1 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.6.9 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-intervals v0.0.2 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/gorilla/handlers v1.5.2 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.0 // indirect
github.com/h2non/filetype v1.1.3 // indirect
Expand Down Expand Up @@ -132,16 +130,14 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/moby/sys/capability v0.4.0 // indirect
github.com/moby/sys/mountinfo v0.7.2 // indirect
github.com/moby/sys/user v0.4.0 // indirect
github.com/moby/term v0.5.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.12.0 // indirect
github.com/openshift/build-machinery-go v0.0.0-20250414185254-3ce8e800ceda // indirect
Expand All @@ -151,9 +147,9 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/proglottis/gpgme v0.1.5 // indirect
github.com/prometheus/client_golang v1.22.0 // indirect
github.com/prometheus/client_golang v1.23.2 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.65.0 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/redis/go-redis/extra/rediscmd/v9 v9.10.0 // indirect
github.com/redis/go-redis/extra/redisotel/v9 v9.10.0 // indirect
Expand Down Expand Up @@ -200,34 +196,34 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/net v0.43.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/oauth2 v0.33.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/text v0.28.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/time v0.12.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
google.golang.org/grpc v1.73.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
Comment on lines +199 to +210
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm pinned grpc version in go.mod"
rg -n '^\s*google\.golang\.org/grpc\s+v' go.mod

echo
echo "2) Query OSV for this exact version"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": { "ecosystem": "Go", "name": "google.golang.org/grpc" },
  "version": "1.73.0"
}' | jq -r '
  if (.vulns|length)==0 then "No vulns returned by OSV for 1.73.0"
  else .vulns[] | "\(.id): \(.summary // "no summary")"
  end
'

Repository: openshift/oc-mirror

Length of output: 387

Bump google.golang.org/grpc to a patched version—the current pinned v1.73.0 has critical authorization-bypass vulnerabilities (GHSA-p77j-4mvh-x3m3 / GO-2026-4762 via missing leading slash in :path header validation).

🧰 Tools
🪛 OSV Scanner (2.3.5)

[CRITICAL] 208-208: google.golang.org/grpc 1.73.0: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

[CRITICAL] 208-208: google.golang.org/grpc 1.73.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 199 - 210, The go.mod pins google.golang.org/grpc to
v1.73.0 which contains a known authorization-bypass vulnerability; update the
google.golang.org/grpc module reference to a patched release (e.g., the latest
v1.73.x+ or v1.74.0+ that contains the fix), run go get
google.golang.org/grpc@<patched-version> (or update the version string in
go.mod), then run go mod tidy to refresh go.sum and ensure no other indirect
dependencies regress; verify builds and tests pass after the upgrade.

gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.33.3 // indirect
k8s.io/cli-runtime v0.33.4 // indirect
k8s.io/component-base v0.33.4 // indirect
k8s.io/cli-runtime v0.35.3 // indirect
k8s.io/component-base v0.35.3 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250610211856-8b98d1ed966a // indirect
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
oras.land/oras-go/v2 v2.6.0 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/kustomize/api v0.19.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kustomize/api v0.20.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
)

tool github.com/openshift/build-machinery-go
Loading