Bump the oc-mirror-v1-security-updates group across 1 directory with 11 updates

[dependabot]

Bumps the oc-mirror-v1-security-updates group with 7 updates in the /v1 directory:

Package	From	To
github.com/containerd/containerd	1.7.27	1.7.32
github.com/docker/cli	27.5.0+incompatible	29.2.0+incompatible
github.com/go-git/go-git/v5	5.14.0	5.19.1
helm.sh/helm/v3	3.18.4	3.20.2
github.com/go-jose/go-jose/v4	4.0.5	4.1.4
github.com/sigstore/fulcio	1.6.4	1.8.5
github.com/sigstore/rekor	1.3.6	1.5.0

Updates github.com/containerd/containerd from 1.7.27 to 1.7.32

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.32

Welcome to the v1.7.32 release of containerd!

The thirty-second patch release for containerd 1.7 contains various fixes and updates including a security patch.

• containerd

  • CVE-2026-46680

• Allow hosts.toml to contain only root-level fields without an explicit [host] section (#10028)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13450)

• Apply hardening to block AF_ALG in default socket policy (#13406)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13299)

• Set AppArmor abi conditionally to support versions < 3.0 (#13273)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

• Maksym Pavlenko
• Chris Henzie
• Derek McGowan
• Paweł Gronowski
• Samuel Karp
• Wei Fu
• Brad Davidson
• Brian Goff
• LEI WANG
• Phil Estes

• bc87d865c Prepare release notes for v1.7.32
• oci: return explicit error for out-of-range USER values (#13450)
  • 503f47946 oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#13406)
  • e55b747d3 seccomp: Block AF_ALG in default socket policy
  • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
• Fix issue with empty host tree in hosts.toml (#10028)
  • 24007441d Fix error parsing hosts.toml without any host tree
• Support both styles of volatile mount option (#13299)
  • 940733149 Support both styles of volatile mount option
• apparmor: Set abi conditionally (#13273)
  • 2b732c892 apparmor: Set abi conditionally
• Add GitHub Action for k8s node e2e tests (#13258)
  • 0db1e143a Add GitHub Action for k8s node e2e tests
• Update release process after 1.7 (#13236)
  • 3223a75c2 Update for latest updates to release tool

... (truncated)

Commits

• 180a7b7 Merge pull request #13452 from samuelkarp/prepare-1.7.32
• bc87d86 Prepare release notes for v1.7.32
• 6a05ddd Merge pull request #13450 from samuelkarp/oci-withuser-errrange-1.7
• 9c3d01b Merge pull request #13406 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
• e55b747 seccomp: Block AF_ALG in default socket policy
• 4627a65 seccomp: Document socket rule scope and socketcall limitation
• 33d9e24 Merge pull request #10028 from brandond/fix-hosts-toml
• 503f479 oci: return explicit error for out-of-range USER values
• 4393e22 Merge pull request #13299 from chrishenzie/release/1.7-volatile
• 9407331 Support both styles of volatile mount option
• Additional commits viewable in compare view

Updates github.com/docker/cli from 27.5.0+incompatible to 29.2.0+incompatible

Commits

• 0b9d198 Merge pull request #6764 from vvoland/update-docker
• 9c9ec73 vendor: github.com/moby/moby/client v0.2.2
• bab3e81 vendor: github.com/moby/moby/api v1.53.0
• 2e64fc1 Merge pull request #6367 from thaJeztah/template_slicejoin
• 1f2ba2a Merge pull request #6760 from thaJeztah/container_create_fix_error
• e34a342 templates: make "join" work with non-string slices and map values
• a86356d Merge pull request #6763 from thaJeztah/bump_mapstructure
• 771660a vendor: github.com/go-viper/mapstructure/v2 v2.5.0
• 9cff36b Merge pull request #6762 from thaJeztah/bump_x_deps
• 08ed2bc cli/command/container: make injecting config.json failures a warning
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.14.0 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

• v5: plumbing: transport/ssh, Shell-quote path by @​hiddeco in go-git/go-git#2068
• v5: git: submodule, Fix relative URL resolution by @​hiddeco in go-git/go-git#2070
• v5: git: submodule, canonical remote for relative URLs by @​hiddeco in go-git/go-git#2074
• v5: git: submodule, error on remote without URLs by @​hiddeco in go-git/go-git#2078
• v5: plumbing: format/idxfile, Validate offset64 indices by @​hiddeco in go-git/go-git#2084
• v5: *: Reject malformed variable-length integers by @​hiddeco in go-git/go-git#2092
• v5: plumbing: format/packfile, Tighten delta validation by @​hiddeco in go-git/go-git#2091
• v5: Add worktreeFilesystem wrapper for worktree and hardening by @​hiddeco in go-git/go-git#2100
• v5: config: validate submodule names by @​hiddeco in go-git/go-git#2082
• build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2111
• v5: git: Allow MkdirAll on worktree-root paths by @​hiddeco in go-git/go-git#2117
• v5: git: Stop validating symlink target paths by @​pjbgf in go-git/go-git#2116
• v5: plumbing: format decoder input bounds and contracts by @​hiddeco in go-git/go-git#2125
• plumbing: format/packfile, cap delta chain depth in parser by @​pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

v5.19.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2010
• v5: Bump sha1cd and go-billy by @​pjbgf in go-git/go-git#2060
• v5: Align object encoding with upstream by @​pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in go-git/go-git#1944

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

... (truncated)

Commits

• 3c3be60 Merge pull request #2137 from go-git/validate-v5
• 3fba897 plumbing: format/packfile, cap delta chain depth in parser
• a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
• aeaa125 plumbing: format/objfile, require Header before Read
• 1f38e17 plumbing: format/packfile, bound inflate size
• f7545a0 plumbing: format/idxfile, bound nr by file size
• 170b881 Merge pull request #2116 from pjbgf/symlink-v5
• 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
• f0709b3 git: Stop validating symlink target paths
• 776d00f git: Allow MkdirAll on worktree-root paths
• Additional commits viewable in compare view

Updates helm.sh/helm/v3 from 3.18.4 to 3.20.2

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.20.2

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

• MacOS amd64 (checksum / 7de04301f28b902a74f6286ed941cadc86ee5e6a9086a18f2ccf1f548e99d618)
• MacOS arm64 (checksum / 139c794c22f16b579d08ddd3008c8038b9bb2814f35b5bcca91f50a1f458978d)
• Linux amd64 (checksum / 258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea)
• Linux arm (checksum / a8a614c740399ff1ef32bcea6be6e4523f17e3376f9cf55c192cc48c8f2d1f19)
• Linux arm64 (checksum / 5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691)
• Linux i386 (checksum / 88e4c1834307cdbc9f3b80920e1a383e4ba50bb488fb0be1b1fbd4918bb6ae73)
• Linux ppc64le (checksum / 98bb26a2f3c0b0c1a50db3181dff192554e0c204a07427d98d6b01e259f23cbe)
• Linux s390x (checksum / 584dd77ef8096d6ef939a1822f72840e749fc8311b2b13ae94df5f786862a56b)
• Linux riscv64 (checksum / 957391d0710d72678acd09959b5dc77888cd007a78a4b99944d3b2fc7e1895ca)
• Windows amd64 (checksum / 24e8e5b71bab4ee17e6f989931ecf4fb144f9916cbe9990c0b6b2ec7b925c454)
• Windows arm64 (checksum / 7c940a73a6882f50b69aec3282549da4a49917669db18fc503db930fb74b9789)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Chart dot-name path bug 8fb76d6ab555577e98e23b7500009537a471feee (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e275c50cecde273872dad2a5576bd46375 (Terry Howe)

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:

... (truncated)

Commits

• 8fb76d6 fix: Chart dot-name path bug
• 3a8927e fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
• a2369ca chore(deps): bump the k8s-io group with 7 updates
• 90e1056 add image index test
• 911f2e9 fix pulling charts from OCI indices
• 76dad33 Remove refactorring changes from coalesce_test.go
• 45c12f7 Fix import
• 26c6f19 Update pkg/chart/common/util/coalesce_test.go
• 09f5129 Fix lint warning
• 417deb2 Preserve nil values in chart already
• Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v5 from 5.6.2 to 5.9.0

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.9.0

What's Changed

• Use path.Clean instead of filepath.Clean in iofs.Open by @​puerco in go-git/go-billy#197
• Deprecate ChrootOS in favour of BoundOS by @​pjbgf in go-git/go-billy#201
• General Improvements by @​pjbgf in go-git/go-billy#203
• osfs: ChrootOS eval baseDir on creation by @​pjbgf in go-git/go-billy#205
• Run go-git tests as part of integration tests by @​pjbgf in go-git/go-billy#206

Full Changelog: go-git/go-billy@v5.8.0...v5.9.0

v5.8.0

What's Changed

• build: Update module golang.org/x/net to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-billy#183
• v5: Ensure Chmod behaviour across BoundOS and ChrootOS by @​pjbgf in go-git/go-billy#187

Full Changelog: go-git/go-billy@v5.7.0...v5.8.0

v5.7.0

What's Changed

• Add support for Chmod on billy.Filesystem by @​bitfehler in go-git/go-billy#171
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-billy#177

Full Changelog: go-git/go-billy@v5.6.2...v5.7.0

Commits

• 237e529 Merge pull request #206 from pjbgf/v5-improvements
• 04edb39 build: Add go-git integration test
• d8efefd osfs: preserve empty ChrootOS base
• 07f2a0b Merge pull request #205 from pjbgf/v5-improvements
• 25207c8 build: Bump Go versions in workflows
• 2fda229 osfs: ChrootOS eval baseDir on creation
• 427b27f Merge pull request #203 from pjbgf/v5-improvements
• 7d5a23e chroot: Reject symlink loops
• 2c2287a util: avoid following symlinks in RemoveAll fallback
• cbd88e9 Fix mount path handling
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @​mcpherrinm in go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @​mcpherrinm in go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @​mcpherrinm in go-jose/go-jose#198
• Remove dependency on testify by @​wardviaene in go-jose/go-jose#197
• Improve error message for invalid private keys by @​ProjectMutilation in go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @​fprojetto in go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @​alvarolivie in go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @​jsha in go-jose/go-jose#202

New Contributors

• @​wardviaene made their first contribution in go-jose/go-jose#197
• @​fprojetto made their first contribution in go-jose/go-jose#191
• @​alvarolivie made their first contribution in go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Drop go-cmp dependency by @​mcpherrinm in go-jose/go-jose#186
• jws: improve performance and allocations for ParseSignedCompact by @​drakkan in go-jose/go-jose#188
• Add missing quote to unknown curve message #170 by @​sudhanvaghebbale in go-jose/go-jose#189
• Fix incorrect validation by @​ProjectMutilation in go-jose/go-jose#192
• Restore Go 1.23 compatibility by @​anuraaga in go-jose/go-jose#193

New Contributors

• @​drakkan made their first contribution in go-jose/go-jose#188
• @​sudhanvaghebbale made their first contribution in go-jose/go-jose#189
• @​ProjectMutilation made their first contribution in go-jose/go-jose#192
• @​anuraaga made their first contribution in go-jose/go-jose#193

... (truncated)

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• 5348b9a Reject JWS with an unprotected critical b64 header (#210)
• 9153a5e Bump actions/setup-python from 5 to 6 (#208)
• 2126e17 Bump actions/setup-go from 5 to 6 (#209)
• 9860c65 Bump actions/checkout from 4 to 5 (#206)
• 14239fd Remove Go 1.23 support (#205)
• a16e158 Update CI to run on Go 1.24 and 1.25 (#204)
• a1565a4 testutils/assert: remove True, Nil, NotNil (#202)
• 3a80e13 jwe: accept non-pointer JSONWebKey in Recipient (#200)
• Additional commits viewable in compare view

Updates github.com/sigstore/fulcio from 1.6.4 to 1.8.5

Release notes

Sourced from github.com/sigstore/fulcio's releases.

v1.8.5

Changelog

This resolves GHSA-59jp-pj84-45mr - Server-side request forgery via MetaIssuer regex bypass

• eaae2f2be56df9dea5f9b439ec81bedae4c0978d Add anchors when matching meta issuer regexp (GHSA-59jp-pj84-45mr) (#2263)

Thanks for all contributors!

v1.8.4

Changelog

• f5bfa34740fc579523e2da9825ea575227331c6f build(deps): bump github.com/tink-crypto/tink-go/v2 from 2.5.0 to 2.6.0 (#2246)
• 0039c980ab58e8cabf38d62fb80a607b5f21c0da build(deps): bump goa.design/goa/v3 from 3.22.6 to 3.23.4 (#2245)
• 3a432f030f1dca4d088f1777f07947a85d1750cd build(deps): bump go.step.sm/crypto from 0.74.0 to 0.75.0 (#2238)
• f3aba4a94150cad7eaa7dc0445e8cdf6cb037c23 build(deps): bump the all group across 1 directory with 4 updates (#2247)
• e66a4c6f47d4052c7b38b84f081b26ca3191deb0 build(deps): bump the all group with 8 updates (#2244)
• a846db6473f4be95443f3772914a15cc156be7b6 build(deps): bump golang from 20b91ed to a22b2e6 (#2243)
• 5a012f5e4f9617fe649b08ec8531d1e8256577e4 update Run Invocation URI for circleci (#2242)
• 59dde0af71dbeaa69b8c25edb107ac19bf3a05ce update builder to use go1.25.5 (#2235)
• 1a6870c7d6f0d2ed6513104ec3f60f8ba5d91c32 build(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#2236)

Thanks for all contributors!

v1.8.3

Changelog

v1.8.3 fixes GHSA-f83f-xpx7-ffpw

• 3622f6e62cf74ff1477422a8c3aad4ca338ed047 update changelog for v1.8.3 release (#2234)
• 765a0e57608b9ef390e1eeeea8595b9054c63a5a Merge commit from fork (#2233)
• 90f8520e1754b20ba0cb33d412ee15006711b85f build(deps): bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 (#2225)
• d88584108bf71c5d375a41a62c05de3c587bd35e build(deps): bump the all group across 1 directory with 6 updates (#2232)
• a387888860bff3f4100d35aa5a63306bb545e702 build(deps): bump the all group with 4 updates (#2226)
• 7b0c1a11da32a1eb485ea3368725028c4f3d35be build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#2227)
• f0a0d051798bb1869d79ba21fbb9b60bdd896664 build(deps): bump golang from e68f6a0 to 6981837 (#2222)
• 4ed0ea1b43f96c571de5ed8b44a5703d6c5c2894 Switch docker env from ct_server to TesseraCT (#2210)
• e902cf880ff56e6749725ea6d63299ab7b370c2d feat: Add support for skipping email_verified claim requirement per issuer (#2220)
• c0fc26c2c1d8a1e16802dd466fb233d69d3ef35d Add basic E2E tests (#2230)
• a4ee8608f0349bd546b33406417f8ff1a58b09b1 build(deps): bump sigstore/scaffolding/trillian_log_signer (#2228)
• 51d916e167276404d153607f076e5a7fb8f30986 build(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#2216)
• bd3a515d86c015a70fa7abd47511fcb1108aafcf add meta-issuer circleci block (#2215)
• c4d47896482f470adaf09dc7706a54fd66311bfd add circleci info to fulcio (#2192)

Thanks for all contributors!

v1.8.2

... (truncated)

Changelog

Sourced from github.com/sigstore/fulcio's changelog.

v1.8.5

Vulnerability Fixes

• GHSA-59jp-pj84-45mr - Server-side request forgery via MetaIssuer regex bypass (#2263)

v1.8.4

Same changelog as v1.8.3, with a few dependency bumps to resolve a breaking API change

v1.8.3

Vulnerability Fixes

• GHSA-f83f-xpx7-ffpw; prevents OOM condition due to malformed OIDC token (#2233)

Features

• feat: Add support for skipping email_verified claim requirement per issuer (#2220)
• add meta-issuer circleci block (#2215)
• add circleci info to fulcio (#2192)

Testing

• Add basic E2E tests (#2230)

v1.8.2

Testing

• make email address in test cases rfc822 conformant (#2205)

v1.8.1

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#2111)
• fix: vault for enterprise expects only the key name (#2117)
• fix(config): respect cacert on oidc-issuers (#2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#2046)

Features

• feat: adds cert loading and key-match validation. (#2173)
• expose gcp kms retry and timeout options (#2132)
• server: Use warning log level for client errors (#2147)

... (truncated)

Commits

• eaae2f2 Add anchors when matching meta issuer regexp (GHSA-59jp-pj84-45mr) (#2263)
• 9325775 Update changelog for v1.8.5 (#2264)
• b23705d build(deps): bump google.golang.org/api from 0.258.0 to 0.259.0 (#2260)
• 9e8841d build(deps): bump golang from a22b2e6 to 36b4f45 (#2251)
• 5c13588 build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#2253)
• 4c823ae build(deps): bump the all group across 1 directory with 4 updates (#2259)
• c15246a build(deps): bump google.golang.org/api from 0.257.0 to 0.258.0 (#2252)
• f2e48e1 Use transparency-dev tesseract image (#2250)
• 9e26cb4 Add read service for CT log (#2258)
• 7bff3d6 Switch to go.yaml.in/yaml/v3 (#2257)
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.6 to 1.5.0

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#2729)
• Drop support for fetching public keys by URL in the search index (#2731)

Features

• Add support for a custom TLS config for clients (#2709)

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#2681)
• restapi: Don't log client errors as errors (#2680)
• pkg: separate pki types from implementations (#2668)
• e2e: don't mix e2e and regular utilities (#2672)
• pkg: remove viper config from spec definitions (#2669)
• log: remove zap & go-chi dependecy from pkg/types (#2667)
• chore: update go-openapi/runtime to v0.29.0 (#2670)
• chore: remove double imported mapstructure pkg (#2671)
• remove archived dependency and use stdlib slices (#2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

What's Changed

• build(deps): Bump google-github-actions/auth from 2.1.12 to 3.0.0 by @​dependabot[bot] in sigstore/rekor#2601

... (truncated)

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#2729)
• Drop support for fetching public keys by URL in the search index (#2731)

Features

• Add support for a custom TLS config for clients (#2709)

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#2681)
• restapi: Don't log client errors as errors (#2680)
• pkg: separate pki types from implementations (#2668)
• e2e: don't mix e2e and regular utilities (#2672)
• pkg: remove viper config from spec definitions (#2669)
• log: remove zap & go-chi dependecy from pkg/types (#2667)
• chore: update go-openapi/runtime to v0.29.0 (#2670)
• chore: remove double imported mapstructure pkg (#2671)
• remove archived dependency and use stdlib slices (#2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

... (truncated)

Commits

• fe9717f Changelog for v1.5.0 (#2730)
• 60ef2bc Drop support for fetching public keys by URL in the search index (#2731)
• ca625dc build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to 9.17.2 (#2706)
• 39bae3d Merge commit from fork (#2729)
• 812e699 build(deps): Bump google.golang.org/api from 0.256.0 to 0.259.0 (#2723)
• 4596e4e build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 (#2722)
• a3e73cd build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#2724)
• 94d259c build(deps): Bump the all group across 1 directory with 3 updates (#2727)
• a5329c9 build(deps): Bump the all group with 2 updates (#2728)
• 5e6bdcd build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2726)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.8.9 to 1.10.3

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.3

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in sigstore/sigstore#2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in sigstore/sigstore#2174
• set GoogleAPIClientOption on GCP KMS provider in sigstore/sigstore#2128

Refactoring

• cryptoutils: move goodkey validation to separate package in sigstore/sigstore#2194
• Stop depending on golang.org/x/crypto for sha3 in sigstore/sigstore#2209
• remove duplicative dependency for portable browser opener in sigstore/sigstore#2178
• consolidate deep Equal usage to one library in sigstore/sigstore#2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in sigstore/sigstore#2172

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in sigstore/sigstore#2174
• set GoogleAPIClientOption on GCP KMS provider in sigstore/sigstore#2128

Refactoring

• cryptoutils: move goodkey validation to separate package in sigstore/sigstore#2194
• Stop depending on golang.org/x/crypto for sha3 in sigstore/sigstore#2209
• remove duplicative dependency for portable browser opener in sigstore/sigstore#2178
• consolidate deep Equal usage to one library in sigstore/sigstore#2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in sigstore/sigstore#2172

... (truncated)

Commits

• 72f0ed7 build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2230)
• b257168 build(deps): Bump github.com/aws/aws-sdk-go-v2 in /pkg/signature/kms/aws (#2226)
• 84f57b8 build(deps): Bump github.com/sigstore/sigstore (#2221)
• bdc1a86 build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#2220)
• 11dfe81 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/aws (#2236)
• 0214948 Add back ValidatePubKey as a deprecated, minimal function (#2235)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The PR updates v1/go.mod to require Go 1.25.0 and refreshes a comprehensive set of module dependencies across Kubernetes, Helm, container runtime ecosystems, observability platforms, and system utilities. The backoff library is upgraded from v4 to v5. No replace directives were modified.

Changes

Go 1.25 and Dependency Refresh

Layer / File(s)	Summary
Go version and direct dependencies v1/go.mod (lines 3–13)	Go version upgraded to 1.25.0; direct dependencies including containerd, docker/cli, go-git, go-logr, and google/go-containerregistry updated.
Kubernetes and Helm ecosystem v1/go.mod (lines 22–65)	Kubernetes k8s.io/* libraries (apimachinery, cli-runtime, client-go, component-base, kubectl), helm.sh/helm/v3, spf13/*, and golang.org/x/* packages refreshed.
Container runtime and infrastructure v1/go.mod (lines 74–151, 161–194)	Containerd and Docker ecosystem packages (stargz-snapshotter, ttrpc, typeurl, containers/storage), OpenAPI/gateway libraries, and opencontainers/* modules updated; cenkalti/backoff upgraded from v4 to v5.
Observability, storage, and system utilities v1/go.mod (lines 204–270)	Prometheus, OpenTelemetry, gRPC/Protobuf, sigstore (Fulcio/Rekor), etcd/bbolt, MongoDB, Redis, and Kubernetes API/apiextensions utilities upgraded.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

dependencies, go, maintenance, verified

Suggested reviewers

• r4f4
• adolfo-ab

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: a security-focused dependency update group affecting the v1 directory with 11 dependency version bumps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are static string literals with no dynamic values (fmt.Sprintf, concatenation, UUIDs, timestamps, pod/node names). Test titles are descriptive and deterministic.
Test Structure And Quality	✅ Passed	PR modifies v1/go.mod and test data only. Test files in v1/ use standard Go testing (testify), not Ginkgo. Ginkgo is only in tests/integration tests, which aren't modified. Check not applicable.
Microshift Test Compatibility	✅ Passed	PR only modifies v1/go.mod (dependency versions) with no new Ginkgo e2e tests added. MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only v1/go.mod (Go module dependencies) and adds no Ginkgo e2e tests. The SNO compatibility check only applies when new tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Go module dependencies (v1/go.mod), not deployment manifests or operator code. Topology-aware scheduling check is inapplicable.
Ote Binary Stdout Contract	✅ Passed	PR is dependency-only (go.mod/go.sum); no Go source code modified. OTE stdout check targets code-level stdout writes which are not present here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The PR only updates Go module dependencies in v1/go.mod, making this check not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) found in code or introduced by dependency updates; no custom crypto or insecure constant-time comparisons detected.
Container-Privileges	✅ Passed	PR only modifies v1/go.mod (Go module dependencies), not container/K8s manifests. No privileged container configurations present or introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PR only modifies v1/go.mod and v1/go.sum with dependency version updates. No source code changes or logging statements added; the check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/v1/oc-mirror-v1-security-updates-5d85f3afec

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@v1/go.mod`:
- Around line 235-240: The OpenTelemetry modules (go.opentelemetry.io/otel,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/trace) are pinned at v1.38.0 and contain known
vulnerabilities; update all of these module versions to at least v1.43.0 (prefer
exact newer tags such as v1.43.0 or later) in the go.mod entries and regenerate
your dependency metadata (go.sum) so the files contain the correct checksums,
ensuring you pin exact versions/hashes per supply-chain guidelines. Ensure the
version bumps include both the core otel module (go.opentelemetry.io/otel) and
its sdk/exporter/metric/trace submodules (otlptrace, otlptracegrpc, metric, sdk,
trace).
- Line 98: The go.mod pins an insecure indirect dependency
github.com/docker/docker v28.5.2+incompatible; update the module requirement for
github.com/docker/docker to a patched release (minimum v29.3.1) in v1/go.mod,
then run your Go module update/resolve steps (e.g., go get or go mod tidy) to
refresh go.sum and ensure the new version is selected; after updating, re-run
your OSS/vulnerability scan (OSV) to confirm the advisories are resolved.
- Line 253: The dependency google.golang.org/grpc is pinned to v1.78.0 (the
vulnerable version); update the grpc module to a fixed release (>= v1.79.3) by
changing the grpc version entry in the go.mod that currently lists
google.golang.org/grpc v1.78.0 to v1.79.3 (or newer), then run go get
google.golang.org/grpc@v1.79.3 and go mod tidy to refresh go.sum and module
graph and run the project's tests/build to ensure no breakage; ensure any CI
workflows pick up the updated go.mod.
- Line 3: The module declares Go 1.25.0 but the Dockerfile installs
GO_VERSION=go1.23.5, causing a toolchain mismatch; update the Dockerfile's
GO_VERSION variable and any download URL or references to use go1.25.0 (or the
equivalent go1.25.x token you intend) so it matches the module directive in
v1/go.mod, and verify any CI/build scripts that reference GO_VERSION are updated
as well.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ef74815c-fd50-4426-8917-31502eb2f176

📥 Commits

Reviewing files that changed from the base of the PR and between f5796a9 and 89fef6d.

⛔ Files ignored due to path filters (1)

• v1/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• v1/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod directive:"
rg -n '^go\s+[0-9]+\.[0-9]+' v1/go.mod

echo
echo "Dockerfile Go version references:"
rg -n 'GO_VERSION=go[0-9]+\.[0-9]+(\.[0-9]+)?|/usr/local/go/bin/go version|golang.org/dl/' Dockerfile

Repository: openshift/oc-mirror

Length of output: 383

---

Toolchain mismatch: v1/go.mod requires Go 1.25.0 but Dockerfile installs go1.23.5

v1/go.mod sets go 1.25.0 (line 3), while the Dockerfile sets GO_VERSION=go1.23.5 and downloads that toolchain from golang.org/dl/. Align the Dockerfile Go version with the module directive to prevent CI/release build/test failures.

go 1.25.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v1/go.mod` at line 3, The module declares Go 1.25.0 but the Dockerfile
installs GO_VERSION=go1.23.5, causing a toolchain mismatch; update the
Dockerfile's GO_VERSION variable and any download URL or references to use
go1.25.0 (or the equivalent go1.25.x token you intend) so it matches the module
directive in v1/go.mod, and verify any CI/build scripts that reference
GO_VERSION are updated as well.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify advisories for docker module version from osv.dev
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq '{vuln_ids: [.vulns[]?.id], count: (.vulns|length)}'

Repository: openshift/oc-mirror

Length of output: 275

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Confirm the dependency/version actually exists at the referenced location
echo "== v1/go.mod: line 90-110 =="
nl -ba v1/go.mod | sed -n '90,110p'

echo
echo "== rg occurrences =="
rg -n "github.com/docker/docker" v1/go.mod

Repository: openshift/oc-mirror

Length of output: 153

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== v1/go.mod: lines 90-110 =="
awk 'NR>=90 && NR<=110 {printf "%d:%s\n", NR, $0}' v1/go.mod

echo
echo "== rg occurrences in v1/go.mod =="
rg -n "github.com/docker/docker" v1/go.mod

Repository: openshift/oc-mirror

Length of output: 1620

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq '
  {count:(.vulns|length),
   vulns:(.vulns[] | {
     id,
     severity,
     source: .aliases[0]? // empty,
     cvss: (.cvss // .severity?.score? // empty)
   })}'

Repository: openshift/oc-mirror

Length of output: 252

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

resp="$(curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }')"

echo "== OSV response vuln count =="
echo "$resp" | jq '.vulns | length'

echo
echo "== OSV response first vuln object (structure) =="
echo "$resp" | jq '.vulns[0]'

Repository: openshift/oc-mirror

Length of output: 5001

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq -r '
  .vulns[] | [
    .id,
    (.database_specific.severity // "UNKNOWN"),
    (.severity? // empty),
    (.aliases // [] | join(","))] | `@tsv`
'

Repository: openshift/oc-mirror

Length of output: 138

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq '
  {count:(.vulns|length),
   vulns:[.vulns[] | {id, db_severity:(.database_specific.severity//"UNKNOWN"), cvss:(.severity//[])}]}'

Repository: openshift/oc-mirror

Length of output: 1365

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

resp="$(curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }')"

echo "$resp" | jq -r '
  .vulns[] |
  {
    id,
    sev:(.database_specific.severity // "UNKNOWN"),
    range:((.affected[]?.database_specific.last_known_affected_version_range) // ""),
    fixed:((.affected[]?.ranges[]?.events[]?.fixed) // empty)
  } | `@json`
'

Repository: openshift/oc-mirror

Length of output: 834

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq -r '
  .vulns[] |
  {
    id,
    sev:(.database_specific.severity // "UNKNOWN"),
    summary:(.summary // ""),
    aliases:(.aliases // []) | map(select(startswith("CVE-"))),
    fixed:((.affected[]?.ranges[]?.events[]?.fixed) // null)
  } | `@json`
'

Repository: openshift/oc-mirror

Length of output: 1726

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq -r '
  .vulns[] | {id, database_sev:(.database_specific.severity//"UNKNOWN"), aliases:(.aliases//[])} as $v
  | ($v + {
      fixed_for_docker: (
        [ .affected[]? 
          | select(.package.name=="github.com/docker/docker")
          | .ranges[]?.events[]?.fixed? ] | unique | join(", ")
      ),
      last_affected_range_for_docker: (
        [ .affected[]?
          | select(.package.name=="github.com/docker/docker")
          | .database_specific.last_known_affected_version_range? ] | unique | join(", ")
      )
    })
  | `@json`
'

Repository: openshift/oc-mirror

Length of output: 1119

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"github.com/docker/docker","ecosystem":"Go"},
    "version":"28.5.2+incompatible"
  }' | jq -r '
  .vulns[] | {
    id,
    db_severity:(.database_specific.severity//"UNKNOWN"),
    aliases:(.aliases//[]),
    affected_for_docker: [
      .affected[]?
      | select(.package.name=="github.com/docker/docker")
      | {
          range: ( .ranges[]? | {type, last:(.database_specific.last_known_affected_version_range//null), fixed: (.events[]?.fixed//null)} ),
        }
    ] }'

Repository: openshift/oc-mirror

Length of output: 1834

---

Bump github.com/docker/docker from v28.5.2+incompatible (OSV reports HIGH vulns)

v1/go.mod line 98 pins github.com/docker/docker v28.5.2+incompatible // indirect, which OSV flags with 7 advisories (3 HIGH, 2 MODERATE, 2 UNKNOWN), including:

• AuthZ plugin bypass: GHSA-x744-4wpc-v9h2 / CVE-2026-34040 (fixed at 29.3.1)
• docker cp bind-mount redirection: GHSA-rg2x-37c3-w2rh / CVE-2026-42306
• archive host exec: GHSA-x86f-5xw2-fm2r / CVE-2026-41567

Upgrade to a patched release (at least >= 29.3.1) and re-check OSV for the target github.com/docker/docker version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v1/go.mod` at line 98, The go.mod pins an insecure indirect dependency
github.com/docker/docker v28.5.2+incompatible; update the module requirement for
github.com/docker/docker to a patched release (minimum v29.3.1) in v1/go.mod,
then run your Go module update/resolve steps (e.g., go get or go mod tidy) to
refresh go.sum and ensure the new version is selected; after updating, re-run
your OSS/vulnerability scan (OSV) to confirm the advisories are resolved.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify advisories for otel from osv.dev
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"go.opentelemetry.io/otel","ecosystem":"Go"},
    "version":"1.38.0"
  }' | jq '{vuln_ids: [.vulns[]?.id], count: (.vulns|length)}'

Repository: openshift/oc-mirror

Length of output: 127

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

modules=(
  "go.opentelemetry.io/otel"
  "go.opentelemetry.io/otel/exporters/otlp/otlptrace"
  "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
  "go.opentelemetry.io/otel/metric"
  "go.opentelemetry.io/otel/sdk"
  "go.opentelemetry.io/otel/trace"
)

version="1.38.0"

for m in "${modules[@]}"; do
  echo "== $m@$version =="
  resp="$(curl -s https://api.osv.dev/v1/query \
    -H 'Content-Type: application/json' \
    -d "{\"package\":{\"name\":\"$m\",\"ecosystem\":\"Go\"},\"version\":\"$version\"}")"
  echo "$resp" | jq -r '
    if (.vulns|length)==0 then "NO_VULNS"
    else .vulns[]
      | .id as $id
      | "\($id) | severity=\(.severity // "n/a") | summary=\(.summary // (.details // "") | tostring)"
    end
  '
  # Also dump full fields for any vuln returned (kept small by filtering keys)
  echo "$resp" | jq -c '
    if (.vulns|length)==0 then {}
    else {vulns: [.vulns[] | {id, summary, severity, details, affected: (.affected // empty)}]}
    end
  '
  echo
done

Repository: openshift/oc-mirror

Length of output: 9473

---

🌐 Web query:

GHSA-mh2q-q3fh-2475 allocation amplification DoS fixed version OpenTelemetry Go

💡 Result:

GHSA-mh2q-q3fh-2475 is an OpenTelemetry-Go issue where multi-value W3C baggage header extraction can cause excessive allocations/CPU, enabling remote DoS-style amplification. The vulnerability affects versions before the fix and is fixed in OpenTelemetry-Go 1.41.0. [1][2] What’s happening (root cause) When extracting baggage from an HTTP carrier that supports multiple values, extractMultiBaggage iterates over all inbound baggage header field-values, parses each value independently, and aggregates members across values. Even though there is a per-value parsing cap (8192 bytes), the multi-value path repeats parsing/aggregation once per header line, so attackers can increase CPU and allocations by sending many baggage: headers within the overall request header size limits. [1] Where the fix lands / fixed version NVD states the issue is fixed in OpenTelemetry-Go 1.41.0 (affected range 1.36.0 up to excluding 1.41.0). [2] Practical mitigation / upgrade guidance Upgrade the go.opentelemetry.io/otel / OpenTelemetry-Go libraries to 1.41.0 or later to include the patch. [2] If you want additional defense-in-depth, the advisory recommends avoiding repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing (e.g., cap total parsed bytes across all baggage headers). [1] Supporting evidence (authoritative sources) The advisory describes the multi-value baggage extraction behavior, attacker-controlled input (multiple inbound baggage headers), and the remote allocation amplification effect. [1]

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-29181

---

Fix OpenTelemetry v1.38.0 vulnerabilities in v1/go.mod (lines 235-240)

• go.opentelemetry.io/otel v1.38.0 → GHSA-mh2q-q3fh-2475: multi-value W3C baggage extraction causes allocation-amplification remote DoS; fixed in go.opentelemetry.io/otel / OpenTelemetry-Go v1.41.0.
• go.opentelemetry.io/otel/sdk v1.38.0 → GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx: PATH hijacking / arbitrary code execution on affected OSes; fixed in v1.40.0 and v1.43.0 respectively.

Upgrade the pinned OTel modules to ≥ v1.43.0 (and pin exact versions/hashes per supply-chain guidelines).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v1/go.mod` around lines 235 - 240, The OpenTelemetry modules
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/trace) are pinned at v1.38.0 and contain known
vulnerabilities; update all of these module versions to at least v1.43.0 (prefer
exact newer tags such as v1.43.0 or later) in the go.mod entries and regenerate
your dependency metadata (go.sum) so the files contain the correct checksums,
ensuring you pin exact versions/hashes per supply-chain guidelines. Ensure the
version bumps include both the core otel module (go.opentelemetry.io/otel) and
its sdk/exporter/metric/trace submodules (otlptrace, otlptracegrpc, metric, sdk,
trace).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify grpc advisories for pinned version from osv.dev
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"name":"google.golang.org/grpc","ecosystem":"Go"},
    "version":"1.78.0"
  }' | jq '{vuln_ids: [.vulns[]?.id], count: (.vulns|length)}'

Repository: openshift/oc-mirror

Length of output: 147

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) OSV: grpc v1.78.0 (get vuln details to assess impact/severity)
grpc_resp="$(curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"google.golang.org/grpc","ecosystem":"Go"},"version":"1.78.0"}')"

echo "$grpc_resp" | jq -r '.vulns[].id' > /tmp/osv_grpc_ids.txt

echo "grpc v1.78.0 OSV vuln IDs:"
cat /tmp/osv_grpc_ids.txt

echo "grpc v1.78.0 OSV vuln detail summaries:"
while read -r id; do
  curl -s https://api.osv.dev/v1/vuln/$id -H 'Accept: application/json' \
    | jq -r --arg id "$id" '
        {
          id: $id,
          details: (
            (.details // .aliases // empty) | tostring
          ),
          severity: (
            .severity[]? | . // empty
          ),
          affected: (
            (.affected // empty) | {packages: ( .packages // empty)}
          )
        }
        | .severity? ,
        "----"
      '
done < /tmp/osv_grpc_ids.txt

# 2) OSV: docker/docker 28.5.2+incompatible
docker_resp="$(curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"github.com/docker/docker","ecosystem":"Go"},"version":"28.5.2+incompatible"}')"

echo
echo "docker/docker 28.5.2+incompatible OSV response:"
echo "$docker_resp" | jq '{vuln_ids: [.vulns[]?.id], count: (.vulns|length)}'
echo "$docker_resp" | jq -r '.vulns[].id' > /tmp/osv_docker_ids.txt

echo "docker/docker v28.5.2+incompatible OSV vuln IDs:"
cat /tmp/osv_docker_ids.txt

# Show minimal details (just severity + summary/description fields) for each docker vuln id
echo "docker/docker v28.5.2+incompatible OSV vuln brief:"
while read -r id; do
  curl -s https://api.osv.dev/v1/vuln/$id -H 'Accept: application/json' \
    | jq -r --arg id "$id" '
        {
          id: $id,
          summary: (.summary // empty),
          details: (.details // empty),
          affected: (.affected // empty | {ecosystem: (.ecosystem // empty)}),
          severity: (.severity // empty),
          references: ((.references // []) | map(.url) | .[0:3])
        } | `@json`
      '
done < /tmp/osv_docker_ids.txt

# 3) OSV: otel v1.38.0
otel_resp="$(curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"},"version":"1.38.0"}')"

echo
echo "go.opentelemetry.io/otel 1.38.0 OSV response:"
echo "$otel_resp" | jq '{vuln_ids: [.vulns[]?.id], count: (.vulns|length)}'
echo "$otel_resp" | jq -r '.vulns[].id' > /tmp/osv_otel_ids.txt

echo "go.opentelemetry.io/otel v1.38.0 OSV vuln IDs:"
cat /tmp/osv_otel_ids.txt

echo "go.opentelemetry.io/otel v1.38.0 OSV vuln brief:"
while read -r id; do
  curl -s https://api.osv.dev/v1/vuln/$id -H 'Accept: application/json' \
    | jq -r --arg id "$id" '
        {
          id: $id,
          summary: (.summary // empty),
          details: (.details // empty),
          severity: (.severity // empty),
          references: ((.references // []) | map(.url) | .[0:3])
        } | `@json`
      '
done < /tmp/osv_otel_ids.txt

# 4) Confirm go.mod directive and Dockerfile GO_VERSION
echo
echo "Find go.mod Go version directive:"
rg -n '^go\s+[0-9]+\.[0-9]+' v1/go.mod || true

echo
echo "Find Dockerfile GO_VERSION setting:"
# locate Dockerfile(s) containing GO_VERSION
dockerfile_matches="$(rg -n 'GO_VERSION=go1\.' -S Dockerfile* **/Dockerfile* 2>/dev/null || true)"
echo "$dockerfile_matches" | head -n 50

# Also show the specific snippet around any match
if [ -n "$dockerfile_matches" ]; then
  file="$(echo "$dockerfile_matches" | head -n1 | cut -d: -f1)"
  line="$(echo "$dockerfile_matches" | head -n1 | cut -d: -f2)"
  start=$((line-15))
  end=$((line+15))
  echo
  echo "Snippet from $file around line $line:"
  sed -n "${start},${end}p" "$file" | nl -ba | sed -n "1,60p"
fi

# 5) Confirm grpc version line in go.mod
echo
echo "Verify grpc line in v1/go.mod:"
rg -n 'google\.golang\.org/grpc\s+v' v1/go.mod

Repository: openshift/oc-mirror

Length of output: 1161

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Helper: print concise OSV vuln fields
print_vuln () {
  local id="$1"
  echo "== $id =="
  curl -s "https://api.osv.dev/v1/vuln/$id" \
    -H 'Accept: application/json' \
  | jq -r '
    {
      id: .id,
      summary: (.summary // empty),
      severity: (.severity // empty),
      aliases: (.aliases // empty),
      details_preview: (
        ((.details // [] | .[]?) | tostring) // empty
      )
    }
    ' | head -n 30
  echo
}

# OSV: grpc v1.78.0 (IDs from earlier query)
print_vuln "GHSA-p77j-4mvh-x3m3"
print_vuln "GO-2026-4762"

# OSV: docker/docker 28.5.2+incompatible (IDs from earlier query)
for id in \
  "GHSA-pxq6-2prw-chj9" \
  "GHSA-rg2x-37c3-w2rh" \
  "GHSA-vp62-88p7-qqf5" \
  "GHSA-x744-4wpc-v9h2" \
  "GHSA-x86f-5xw2-fm2r" \
  "GO-2026-4883" \
  "GO-2026-4887"
do
  print_vuln "$id"
done

# OSV: go.opentelemetry.io/otel 1.38.0 (IDs from earlier query)
print_vuln "GHSA-mh2q-q3fh-2475"

echo "----"
echo "go directive in v1/go.mod:"
rg -n '^go\s+[0-9]+\.[0-9]+' v1/go.mod || true

echo "----"
echo "grpc version line in v1/go.mod:"
rg -n 'google\.golang\.org/grpc\s+v' v1/go.mod || true

echo "----"
echo "Dockerfile GO_VERSION occurrences (around matches):"
rg -n 'GO_VERSION=go1\.' Dockerfile **/Dockerfile* 2>/dev/null || true

match_line="$(rg -n 'GO_VERSION=go1\.23\.5' Dockerfile **/Dockerfile* 2>/dev/null | head -n1 || true)"
if [ -n "$match_line" ]; then
  file="$(echo "$match_line" | cut -d: -f1)"
  line="$(echo "$match_line" | cut -d: -f2)"
  start=$((line-12))
  end=$((line+12))
  echo "Snippet from $file:$line:"
  sed -n "${start},${end}p" "$file"
fi

Repository: openshift/oc-mirror

Length of output: 1833

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Dump key OSV fields for a specific id (small, structured)
show_osv () {
  local id="$1"
  echo "=== $id (key fields) ==="
  curl -s "https://api.osv.dev/v1/vuln/$id" \
    -H 'Accept: application/json' \
  | jq -r '
      {
        id: .id,
        aliases: (.aliases // []),
        summary: .summary,
        details: (.details // [] | map(. | tostring) | .[0:3]),
        severity: (.severity // [] | map(. // {}) | .[0:5]),
        affected: (.affected // [] | map({package: (.package // {}), ranges: (.ranges // [])}) | .[0:3]),
        references: ((.references // []) | map(.url) | .[0:5])
      } | `@json`
    '
  echo
}

# IDs observed from earlier OSV query results
show_osv "GHSA-p77j-4mvh-x3m3"
show_osv "GO-2026-4762"
show_osv "GHSA-mh2q-q3fh-2475"
for id in "GHSA-pxq6-2prw-chj9" "GHSA-rg2x-37c3-w2rh" "GHSA-vp62-88p7-qqf5" "GHSA-x744-4wpc-v9h2" "GHSA-x86f-5xw2-fm2r" "GO-2026-4883" "GO-2026-4887"; do
  show_osv "$id"
done

# 2) Inspect v1/go.mod for any toolchain directive and current go directive(s)
echo "=== v1/go.mod go/toolchain directives ==="
rg -n '^(go|toolchain)\s+' v1/go.mod || true

# 3) Confirm grpc version line in go.mod (and whether any other grpc versions exist)
echo "=== grpc versions found in v1/go.mod ==="
rg -n 'google\.golang\.org/grpc\s+v' v1/go.mod || true

Repository: openshift/oc-mirror

Length of output: 1575

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ids=("GHSA-p77j-4mvh-x3m3" "GO-2026-4762" "GHSA-mh2q-q3fh-2475")

for id in "${ids[@]}"; do
  echo "=== Raw OSV response for $id ==="
  resp_file="/tmp/osv_${id}.json"
  http_code="$(curl -sS -o "$resp_file" -w "%{http_code}" \
    "https://api.osv.dev/v1/vuln/$id" \
    -H 'Accept: application/json')"
  echo "HTTP: $http_code"
  echo "Top-level keys (jq keys):"
  jq 'keys' "$resp_file" || true
  echo "First 40 lines of JSON:"
  head -n 40 "$resp_file" || true
  echo
done

echo "=== Check grpc OSV query endpoint response structure (v1/query) ==="
curl -sS "https://api.osv.dev/v1/query" \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"google.golang.org/grpc","ecosystem":"Go"},"version":"1.78.0"}' \
| jq 'keys, {vulns_count:(.vulns|length), vulns_ids: ([.vulns[]?.id])}' || true

Repository: openshift/oc-mirror

Length of output: 856

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Dump OSV v1/query response objects for the returned IDs (limit size)
dump_query () {
  local pkg_name="$1"
  local version="$2"
  local out="/tmp/osv_query_${pkg_name//\//_}_${version}.json"
  echo "== Query: $pkg_name $version =="
  curl -sS -o "$out" https://api.osv.dev/v1/query \
    -H 'Content-Type: application/json' \
    -d "{\"package\":{\"name\":\"$pkg_name\",\"ecosystem\":\"Go\"},\"version\":\"$version\"}"
  jq '{vulns: ([.vulns[]? | {id: .id, aliases: .aliases, summary: .summary, severity: .severity, details: (.details // [] | length)}])}' "$out"
  echo
  # Also print first vuln object raw keys to see what fields exist
  jq -r '.vulns[0] | keys' "$out" 2>/dev/null || true
}

dump_query "google.golang.org/grpc" "1.78.0"
dump_query "github.com/docker/docker" "28.5.2+incompatible"
dump_query "go.opentelemetry.io/otel" "1.38.0"

Repository: openshift/oc-mirror

Length of output: 4317

---

🌐 Web query:

GHSA-p77j-4mvh-x3m3 grpc auth bypass severity

💡 Result:

The vulnerability GHSA-p77j-4mvh-x3m3, also identified as CVE-2026-33186, is classified as a Critical severity issue [1][2][3]. It has a CVSS v3.1 base score of 9.1 [2][3]. This vulnerability is an authorization bypass in gRPC-Go resulting from improper input validation of the HTTP/2:path pseudo-header [1][4]. gRPC-Go servers were previously too permissive, allowing requests where the:path header omitted the mandatory leading slash (e.g., using 'Service/Method' instead of '/Service/Method') [3][4]. Because authorization interceptors (such as the official grpc/authz package or those relying on info.FullMethod) evaluated the raw, non-canonical path string, security policies using "deny" rules for canonical paths (starting with /) failed to match these malformed requests [3][4][5]. If a fallback "allow" rule existed, the request would be incorrectly permitted [4][5]. The issue has been patched; updated versions of gRPC-Go ensure that requests with a:path missing the leading slash are rejected with a codes.Unimplemented error [4][5]. Users are also advised to ensure any fronting reverse proxies or load balancers enforce strict HTTP/2 compliance and to adopt a "default deny" posture in authorization policies where possible [4][5].

Citations:

• 1: GHSA-p77j-4mvh-x3m3
• 2: https://test.osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3
• 3: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 4: GHSA-p77j-4mvh-x3m3
• 5: https://osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3

---

🌐 Web query:

GO-2026-4762 grpc advisory

💡 Result:

GO-2026-4762 is a Go vulnerability report identifier corresponding to CVE-2026-33186, which describes an authorization bypass vulnerability in the gRPC-Go library (google.golang.org/grpc) [1][2][3]. This vulnerability arises from improper input validation of the HTTP/2:path pseudo-header [4][3]. Specifically, the gRPC-Go server was found to be too lenient when routing requests, accepting:path values that lacked the mandatory leading slash (e.g., Service/Method instead of /Service/Method) [4][3]. While the server would still route these requests to the correct handler, authorization interceptors (such as those using the official grpc/authz package) would evaluate the raw, non-canonical path string [4][3]. If a security policy relied on canonical paths (starting with /) for "deny" rules but allowed other requests by default, this discrepancy allowed an attacker to bypass the authorization policy [4][3]. The vulnerability is addressed in gRPC-Go version 1.79.3, which enforces strict path checking and rejects any request where the:path does not begin with a leading slash, returning a codes.Unimplemented error [4][3]. Users are strongly advised to upgrade to version 1.79.3 or newer [1][4][5]. If an immediate upgrade is not feasible, temporary mitigations include implementing custom validating interceptors, infrastructure-level path normalization, or hardening security policies [3].

Citations:

• 1: https://test.osv.dev/vulnerability/GO-2026-4762
• 2: Security: GO-2026-4762 in openbao/openbao-plugins/main openbao/dependency-vulnerabilities#10
• 3: https://nvd.nist.gov/vuln/detail/cve-2026-33186
• 4: GHSA-p77j-4mvh-x3m3
• 5: Critical gRPC vulnerability (CVE-2026-33186) kubernetes/autoscaler#9406

---

🌐 Web query:

GHSA-mh2q-q3fh-2475 go.opentelemetry.io/otel 1.38.0 severity impact

💡 Result:

GHSA-mh2q-q3fh-2475 is a security advisory for the OpenTelemetry Go implementation regarding excessive memory and CPU consumption during baggage header extraction [1][2]. Vulnerability Impact: The vulnerability allows for a remote denial-of-service (DoS) amplification attack [1][2]. By sending an inbound HTTP request containing many baggage header field-values, an attacker can trigger repeated, independent parsing and aggregation of these headers [1][2]. Because the library parses each field-value independently, this process can lead to significant per-request memory allocations and increased CPU latency, even if each individual header value stays within the 8192-byte parsing limit [1][2]. Technical Details: The issue is located in the propagation/baggage.go file within the extractMultiBaggage function [1][2]. Under default net/http configurations—which may allow up to 1MB of header data—a single crafted request can cause excessive work for the server [1][2]. Mitigation and Remediation: To remediate this, it is recommended to ensure your project is using a patched version of the OpenTelemetry Go library [1][2]. The vulnerability was addressed by ensuring that multi-value baggage headers are handled efficiently, such as by normalizing them into a single string or enforcing a global byte budget across all header values before parsing [1][2]. Regarding your specific mention of go.opentelemetry.io/otel version 1.38.0: While version 1.38.0 is a known release in the OpenTelemetry Go ecosystem, this specific advisory (GHSA-mh2q-q3fh-2475) highlights a vulnerability found in the library's baggage extraction logic [1][2]. Users should verify their current version and upgrade to a release where this behavior has been corrected to prevent the described DoS amplification [1][2].

Citations:

• 1: https://test.osv.dev/vulnerability/GHSA-mh2q-q3fh-2475
• 2: GHSA-mh2q-q3fh-2475

---

🌐 Web query:

GHSA-pxq6-2prw-chj9 github.com/docker/docker severity impact

💡 Result:

GHSA-pxq6-2prw-chj9 is a security vulnerability in Moby (the open-source container framework used by Docker) concerning an off-by-one error in plugin privilege validation [1][2]. Severity and Impact - Severity: Moderate [1][2][3]. It has a CVSS v3.1 base score of 6.8 [1][2][3]. - Impact: The vulnerability allows the plugin privilege validation to be bypassed during the docker plugin install process [1][2]. Because of an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a set of privileges that differs from what the user intended to approve [1][2]. In cases where a plugin requests exactly one privilege, no comparison is performed at all [1][2]. This could potentially allow a malicious plugin to obtain sensitive permissions, such as broad device access [1][2]. - Prerequisites for Exploitation: Exploitation requires a user to install a malicious plugin [1][2]. If plugins are not in use, the system is not affected [1][2]. Additionally, Docker Desktop does not support plugins [1][2]. Remediation - Patch: The vulnerability was addressed in Moby version 29.3.1 [3][4]. Users are advised to upgrade to this version or newer [4]. - Workarounds: If an immediate update is not possible, users should avoid installing plugins from untrusted sources, carefully review all requested privileges during installation, restrict access to the Docker daemon to trusted parties (following the principle of least privilege), and avoid relying on the plugin privilege approval flow as a sole security boundary [5].

Citations:

• 1: https://test.osv.dev/vulnerability/GHSA-pxq6-2prw-chj9
• 2: GHSA-pxq6-2prw-chj9
• 3: https://app.opencve.io/cve/CVE-2026-33997
• 4: https://nvd.nist.gov/vuln/detail/CVE-2026-33997
• 5: https://osv.dev/vulnerability/GHSA-pxq6-2prw-chj9

---

🌐 Web query:

GHSA-rg2x-37c3-w2rh github.com/docker/docker severity impact

💡 Result:

GHSA-rg2x-37c3-w2rh is a security advisory concerning a race condition in the docker cp command within github.com/docker/docker [1][2]. Severity: The vulnerability is classified as High severity, with a CVSS v3.1 score of 7.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H) [2]. Impact: The race condition allows a malicious container to redirect a volume bind mount to an arbitrary path on the host system [1][2]. The specific impact depends on the mount options and content of the volume [2]: - If the volume is writable, a malicious container could potentially overwrite arbitrary files on the host [2]. - If the volume is read-only, the host path may be masked for the duration of the docker cp operation, resulting in a denial of service (DoS) [2]. - The mount created is temporary and is removed after the docker cp operation completes; however, any file writes performed during this time persist on the host [2]. Conditions for exploitation include: - The container must have at least one volume mount [2]. - A process inside the container must be able to rapidly create and swap symlinks at the volume mount destination path [2]. - An operator must perform a docker cp operation into the container or interact with the PUT/HEAD /containers/{id}/archive API endpoints [2]. Containers without volume mounts are not affected [2]. As of May 2026, the vulnerability affects github.com/docker/docker versions <= 28.5.2, with no upstream release currently available to fix this specific module path [3].

Citations:

• 1: GHSA-rg2x-37c3-w2rh
• 2: https://osv.dev/vulnerability/GHSA-rg2x-37c3-w2rh
• 3: https://images.chainguard.dev/security/CGA-j9q3-xhj9-vgf6

---

Blocker: upgrade google.golang.org/grpc v1.78.0 (critical auth bypass)
v1/go.mod pins google.golang.org/grpc to v1.78.0 (OSV: GHSA-p77j-4mvh-x3m3 / CVE-2026-33186), a Critical authorization bypass in gRPC-Go via missing leading slash in the HTTP/2 :path pseudo-header. Upgrade to the fixed gRPC-Go release (per the advisory, >= v1.79.3) before merge.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v1/go.mod` at line 253, The dependency google.golang.org/grpc is pinned to
v1.78.0 (the vulnerable version); update the grpc module to a fixed release (>=
v1.79.3) by changing the grpc version entry in the go.mod that currently lists
google.golang.org/grpc v1.78.0 to v1.79.3 (or newer), then run go get
google.golang.org/grpc@v1.79.3 and go mod tidy to refresh go.sum and module
graph and run the project's tests/build to ensure no breakage; ensure any CI
workflows pick up the updated go.mod.