Skip to content

security: fix dependabot prs #3622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 4 commits into from
Dec 17, 2025
Merged

security: fix dependabot prs #3622

openshift-merge-bot merged 4 commits into from
Dec 17, 2025

Conversation

@raelga
Copy link
Collaborator

@raelga raelga commented Dec 16, 2025
edited
Loading

Summary

This PR consolidates all pending Dependabot dependency updates across Go modules, and GitHub Actions. It addresses 20 Dependabot PRs with 4 critical security vulnerabilities fixed.

🚨 Security Alerts Closed

Golang

  • CVE-2025-58181 (CVSS 5.3 - Medium)

    • Package: golang.org/x/crypto/ssh
    • Issue: SSH GSSAPI unbounded memory consumption
    • Fixed in: v0.46.0 (via v0.45.0)

  • CVE-2025-47914 (CVSS 5.3 - Medium)

    • Package: golang.org/x/crypto/ssh/agent
    • Issue: SSH Agent panic from malformed messages (out of bounds read)
    • Fixed in: v0.46.0 (via v0.45.0)

📦 Changes by Category

Golang Dependencies (5 commits)

1. golang.org/x/crypto: 0.45.0 → 0.46.0 ✅ SECURITY

Commit: 1e2425597

  • Closes: CVE-2025-58181, CVE-2025-47914
  • Security fixes (from v0.45.0):
    • Fixed SSH GSSAPI unbounded memory consumption
    • Fixed SSH Agent panic vulnerability
  • Additional updates:
    • Updated x509roots/fallback certificate bundle
    • Fixed SSH agent test flakiness
    • Upgraded: golang.org/x/sync (0.18.0 → 0.19.0)
    • Upgraded: golang.org/x/sys (0.38.0 → 0.39.0)
    • Upgraded: golang.org/x/term (0.37.0 → 0.38.0)
    • Upgraded: golang.org/x/text (0.31.0 → 0.32.0)
  • Modules: backend, frontend, internal, tooling/templatize, tooling/prometheus-rules
  • Files changed: 26 (all go.mod/go.sum)

2. go.uber.org/mock: 0.5.2 → 0.6.0 🔧 TOOLING

Commit: 46e836d81

  • Key fix: mockgen errors with Go 1.25 compatibility
  • New features:
    • Archive mode for generating mocks from archive files
    • Support for mock names in bazel _gomock_archive rule
  • Modules: backend, frontend, internal
  • Files changed: 6

3. Azure SDK azidentity: 1.12.0 → 1.13.0 ⚡ FEATURES

Commit: 5aa838f86

  • New features:
    • AzurePowerShellCredential for PowerShell authentication
    • Enhanced DefaultAzureCredential with AZURE_TOKEN_CREDENTIALS
    • Redesigned persistent token cache API
    • Improved Pipelines federated auth support
  • Modules: backend, frontend, internal
  • Files changed: 24

4. OpenTelemetry: 1.38.0 → 1.39.0 / 0.62.0 → 0.63.0 📊 OBSERVABILITY

Commit: e2014537f

  • Updated packages:

    • go.opentelemetry.io/otel: v1.38.0 → v1.39.0
    • go.opentelemetry.io/otel/trace: v1.38.0 → v1.39.0
    • go.opentelemetry.io/otel/metric: v1.38.0 → v1.39.0
    • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.62.0 → v0.63.0

  • Key improvements in v1.39.0 (released December 8, 2025):

    • Performance: Greatly reduced cost of recording metrics using hashing for map keys
    • New WithInstrumentationAttributeSet option for concurrent-safe attribute handling
    • Experimental observability for Prometheus exporter
    • Experimental observability metrics in OTLP log exporters
    • Added temporality selector functions (Delta, Cumulative, LowMemory)
    • Improved metric cardinality handling

  • Modules: backend, frontend, internal, test, admin/server, tooling/helmtest, tooling/templatize

  • Files changed: 14

GitHub Actions (1 commit)

8. actions/checkout: various → v6.0.1 🔧 TOOLING

Commit: e0715053e

  • Updated across all workflows for latest features and security fixes
  • Files changed: .github/workflows/*

🔍 Testing & Validation

  • All Go modules synced via go work sync
  • Lint passed: make lint-fix - 0 issues reported
  • Go module tidying: make all-tidy completed successfully
  • CI checks pending

📋 Dependabot PRs Closed (20 total)

Golang (15 PRs)

golang.org/x/crypto (5 PRs):

OpenTelemetry (8 PRs):

Other Go dependencies (2 PRs):

GitHub Actions (1 PR)

📝 Notes

  1. Go Workspace: All 19 modules in go.work properly synced and tested
  2. Commit organization: 8 commits organized by update type (security → observability → tooling → features) for clear audit trail
  3. OpenTelemetry: Updated to latest v1.39.0 (released December 8, 2025) for significant performance improvements

@raelga
security: bump golang.org/x/crypto from 0.45.0 to 0.46.0
1e24255 
Updates golang.org/x/crypto across all Go modules to address security
vulnerabilities and include latest maintenance updates.

Security fixes included in v0.45.0 (current version before this update):
- CVE-2025-58181 (CVSS 5.3): SSH GSSAPI unbounded memory consumption
- CVE-2025-47914 (CVSS 5.3): SSH Agent panic from malformed messages

Additional updates in v0.46.0:
- Updated golang.org/x dependencies
- Updated x509roots/fallback certificate bundle
- Fixed SSH agent test flakiness
- Upgraded related golang.org/x packages:
  - golang.org/x/sync: 0.18.0 → 0.19.0
  - golang.org/x/sys: 0.38.0 → 0.39.0
  - golang.org/x/term: 0.37.0 → 0.38.0
  - golang.org/x/text: 0.31.0 → 0.32.0

Addresses Dependabot PRs: #3617, #3616, #3615, #3614, #3613
@raelga
build(deps): bump go.uber.org/mock from 0.5.2 to 0.6.0
46e836d 
Updates go.uber.org/mock across all Go modules for Go 1.25 compatibility
and new archive mode feature.

Changes in v0.6.0:
- Fixed mockgen errors with Go 1.25 due to outdated golang.org/x/tools dependency
- Added archive mode: generates mocks out of archive files
- Added support for specifying mock names in bazel _gomock_archive rule

This update is important as the project uses Go 1.24.4 and may upgrade
to Go 1.25 in the future.

Addresses Dependabot PRs: #2963, #2961
@openshift-ci openshift-ci bot requested review from bennerv and deads2k December 16, 2025 18:33
@raelga
Copy link
Collaborator Author

raelga commented Dec 16, 2025

/test verify

1 similar comment
@raelga
Copy link
Collaborator Author

raelga commented Dec 16, 2025

/test verify

@raelga raelga force-pushed the security/fix-dependabot-prs branch from 8f2c6ed to 517ee1e Compare December 16, 2025 19:47
@raelga raelga changed the title security: Fix dependabot prs security: fix dependabot prs Dec 16, 2025
@raelga
build(deps): bump Azure SDK azidentity from 1.12.0 to 1.13.0
d3bc01b 
Updates github.com/Azure/azure-sdk-for-go/sdk/azidentity across all
Go modules for new features and improvements.

Changes in v1.13.0:
- Added AzurePowerShellCredential for PowerShell authentication
- Enhanced DefaultAzureCredential behavior with AZURE_TOKEN_CREDENTIALS
  environment variable set to ManagedIdentityCredential
- Redesigned persistent token cache API for better performance
- Improved credential factory support for Pipelines federated auth

This update enhances authentication capabilities and provides better
support for various Azure authentication scenarios.

Addresses Dependabot PR: #3076
@raelga
actions(gh): bump actions/checkout from different versions to v6.0.1
80014c4 
Updates actions/checkout across all actions for new features and improvements.

Changes in v6.0.1:
- Update all references from v5 and v4 to v6 by @ericsciple in #2314
- Add worktree support for persist-credentials includeIf by @ericsciple in #2327
- Clarify v6 README by @ericsciple in #2328
- Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248
- Persist creds to a separate file by @ericsciple in actions/checkout#2286
- v6-beta by @ericsciple in actions/checkout#2298
- update readme/changelog for v6 by @ericsciple in actions/checkout#2311

Addresses Dependabot PR: #3373

Signed-off-by: Rael Garcia <rael@redhat.com>
@raelga raelga force-pushed the security/fix-dependabot-prs branch from 517ee1e to 80014c4 Compare December 16, 2025 19:58
@raelga
Copy link
Collaborator Author

raelga commented Dec 16, 2025

/test e2e-parallel

1 similar comment
@raelga
Copy link
Collaborator Author

raelga commented Dec 16, 2025

/test e2e-parallel

@raelga raelga added ai-assisted AI/LLM tool was used to help create this MR go Pull requests that update Go code github_actions Pull requests that update GitHub Actions code labels Dec 16, 2025
@hbhushan3
Copy link
Collaborator

hbhushan3 commented Dec 16, 2025

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Dec 16, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 16, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hbhushan3, raelga

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@raelga
Copy link
Collaborator Author

raelga commented Dec 17, 2025

/test e2e-parallel

1 similar comment
@raelga
Copy link
Collaborator Author

raelga commented Dec 17, 2025

/test e2e-parallel

@openshift-merge-bot openshift-merge-bot bot merged commit 4579c56 into main Dec 17, 2025
26 checks passed
@openshift-merge-bot openshift-merge-bot bot deleted the security/fix-dependabot-prs branch December 17, 2025 10:44
This was referenced Dec 17, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bennerv bennerv Awaiting requested review from bennerv

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@hbhushan3 hbhushan3

Labels

ai-assisted AI/LLM tool was used to help create this MR approved github_actions Pull requests that update GitHub Actions code go Pull requests that update Go code lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raelga @hbhushan3