Skip to content

build(deps): bump the oc-mirror-v2-version-updates group with 13 updates#1382

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/oc-mirror-v2-version-updates-9c8c7ebb48
Open

build(deps): bump the oc-mirror-v2-version-updates group with 13 updates#1382
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/oc-mirror-v2-version-updates-9c8c7ebb48

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 1, 2026

Bumps the oc-mirror-v2-version-updates group with 13 updates:

Package From To
github.com/google/go-containerregistry 0.20.8-0.20260114192324-795787c558e1 0.21.3
github.com/operator-framework/operator-registry 1.50.0 1.65.0
github.com/sirupsen/logrus 1.9.3 1.9.4
github.com/spf13/cobra 1.10.1 1.10.2
github.com/spf13/pflag 1.0.9 1.0.10
github.com/vbauerster/mpb/v8 8.10.2 8.11.3
go.podman.io/common 0.65.0 0.67.0
go.podman.io/image/v5 5.37.0 5.39.1
go.podman.io/storage 1.60.0 1.62.0
golang.org/x/crypto 0.41.0 0.49.0
golang.org/x/term 0.34.0 0.41.0
helm.sh/helm/v3 3.18.6 3.20.1
github.com/docker/cli 29.0.3+incompatible 29.3.1+incompatible

Updates github.com/google/go-containerregistry from 0.20.8-0.20260114192324-795787c558e1 to 0.21.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.3

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.2...v0.21.3

v0.21.2

What's Changed

Full Changelog: google/go-containerregistry@v0.21.1...v0.21.2

v0.21.1

This release fixes a regression in crane introduced in the previous release.

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.0...v0.21.1

v0.21.0

This release updates the minimum Go version to 1.25.6.

What's Changed

... (truncated)

Commits

Updates github.com/operator-framework/operator-registry from 1.50.0 to 1.65.0

Release notes

Sourced from github.com/operator-framework/operator-registry's releases.

v1.65.0

What's Changed

Full Changelog: operator-framework/operator-registry@v1.64.0...v1.65.0

v1.64.0

What's Changed

Full Changelog: operator-framework/operator-registry@v1.63.0...v1.64.0

v1.63.0

What's Changed

... (truncated)

Commits
  • 21f9b55 Bump codecov/codecov-action from 5 to 6 (#1941)
  • 070a649 Bump github.com/operator-framework/api from 0.41.0 to 0.42.0 (#1940)
  • 2095729 render package-level info from channel head in semver template (#1933)
  • 7b22611 Bump github.com/docker/cli (#1939)
  • 2aade62 Bump github.com/grpc-ecosystem/grpc-health-probe from 0.4.46 to 0.4.47 (#1937)
  • d1d3906 Bump the k8s-dependencies group with 4 updates (#1936)
  • 6ea0f39 Bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#1935)
  • 8ef7f30 Bump github.com/mattn/go-sqlite3 from 1.14.34 to 1.14.37 (#1934)
  • d47604f chore(lint): Upgrade golanglint from v2.7.2 to v2.8.0 and fix lint issues" (...
  • 4fef652 Bump the golang-x-deps group with 2 updates (#1932)
  • Additional commits viewable in compare view

Updates github.com/sirupsen/logrus from 1.9.3 to 1.9.4

Release notes

Sourced from github.com/sirupsen/logrus's releases.

v1.9.4

Notable changes

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

Changelog

Sourced from github.com/sirupsen/logrus's changelog.

1.9.4

Fixes:

  • Remove uses of deprecated ioutil package

Features:

  • Add GNU/Hurd support
  • Add WASI wasip1 support

Code quality:

  • Update minimum supported Go version to 1.17
  • Documentation updates
Commits
  • b61f268 Merge pull request #1472 from goldlinker/master
  • 15c29db refactor: replace the deprecated function in the ioutil package
  • cb253f3 Merge pull request #1464 from thaJeztah/touchup_godoc
  • 29b2337 Merge pull request #1468 from thaJeztah/touchup_readme
  • d916819 Merge pull request #1427 from dolmen/fix-testify-usage
  • 135e482 README: small touch-ups
  • 2c5fa36 Merge pull request #1467 from thaJeztah/rm_old_badge
  • 877ecec README: remove travis badge
  • 55cf256 Merge pull request #1393 from jsoref/grammar
  • 21bae50 Merge pull request #1426 from dolmen/testing-fix-use-of-math-rand
  • Additional commits viewable in compare view

Updates github.com/spf13/cobra from 1.10.1 to 1.10.2

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.2

🔧 Dependencies

  • chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

🔥✍🏼 Docs

🍂 Refactors

🤗 New Contributors

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

Commits

Updates github.com/spf13/pflag from 1.0.9 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

New Contributors

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

Commits
  • 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
  • 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
  • 7e4dfb1 Test on Go 1.12
  • 18a9d17 move Func, BoolFunc, tests as they require go1.21
  • c5b9e98 remove uses of errors.Is, which requires go1.13
  • 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
  • See full diff in compare view

Updates github.com/vbauerster/mpb/v8 from 8.10.2 to 8.11.3

Release notes

Sourced from github.com/vbauerster/mpb/v8's releases.

v8.11.3

Full Changelog: vbauerster/mpb@v8.11.2...v8.11.3

v8.11.2

Full Changelog: vbauerster/mpb@v8.10.2...v8.11.2

Commits

Updates go.podman.io/common from 0.65.0 to 0.67.0

Release notes

Sourced from go.podman.io/common's releases.

common/v0.67.0

go.podman.io/common release for podman v5.8

Commits
  • 078c746 [podman-5.8] Common to v0.67.0
  • 6d3663d [podman-5.8] Bump image to v5.39.1, storage to v1.62.0
  • 071bdd3 Merge pull request #630 from TomSweeneyRedHat/dev/tsweeney/dance-5.8-3
  • 80fb329 [podman-5.8] Bump to image 5.39.1
  • c41710e [podman-5.8] Add missing image go.sum
  • 117e15b Merge pull request #629 from TomSweeneyRedHat/dev/tsweeney/dance-5.8-2
  • a1da33b [podman-5.8] Bump image to v5.39.0
  • d5d959a [podman-5.8] Bump storage to 1.62.0 in image
  • b4ff26e Merge pull request #626 from TomSweeneyRedHat/dev/tsweeney/dance-5.8-1
  • bb290dc [podman-5.8] Bump storage to v1.62.0
  • Additional commits viewable in compare view

Updates go.podman.io/image/v5 from 5.37.0 to 5.39.1

Commits
  • 80fb329 [podman-5.8] Bump to image 5.39.1
  • c41710e [podman-5.8] Add missing image go.sum
  • a1da33b [podman-5.8] Bump image to v5.39.0
  • d5d959a [podman-5.8] Bump storage to 1.62.0 in image
  • b4ff26e Merge pull request #626 from TomSweeneyRedHat/dev/tsweeney/dance-5.8-1
  • bb290dc [podman-5.8] Bump storage to v1.62.0
  • a79d33c Merge pull request #616 from l0rd/pr-612-to-5.8
  • 90383df common: safer use of filepath.EvalSymlinks() in findBindir()
  • 89d4270 Merge pull request #601 from Luap99/podman-5.8
  • d1241f8 fix debug log for #579
  • Additional commits viewable in compare view

Updates go.podman.io/storage from 1.60.0 to 1.62.0

Commits
  • bb290dc [podman-5.8] Bump storage to v1.62.0
  • a79d33c Merge pull request #616 from l0rd/pr-612-to-5.8
  • 90383df common: safer use of filepath.EvalSymlinks() in findBindir()
  • 89d4270 Merge pull request #601 from Luap99/podman-5.8
  • d1241f8 fix debug log for #579
  • 32a8375 Add DockerProxy field for dynamic proxy configuration
  • d938980 seccomp: block AF_VSOCK sockets
  • 857c346 Set the MIME type on created OCI indices/manifests
  • ffb4375 idtools: avoid direct use of C.stderr to fix musl cgo build failures
  • 52ca8fb Cleanup manpage formatting
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.41.0 to 0.49.0

Commits
  • 982eaa6 go.mod: update golang.org/x dependencies
  • 159944f ssh,acme: clean up tautological/impossible nil conditions
  • a408498 acme: only require prompt if server has terms of service
  • cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
  • 2f26647 x509roots/fallback: update bundle
  • e08b067 go.mod: update golang.org/x dependencies
  • 7d0074c scrypt: fix panic on parameters <= 0
  • 506e022 go.mod: update golang.org/x dependencies
  • 7dacc38 chacha20poly1305: error out in fips140=only mode
  • 19acf81 go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

Updates golang.org/x/term from 0.34.0 to 0.41.0

Commits
  • 9d2dc07 go.mod: update golang.org/x dependencies
  • d954e03 all: upgrade go directive to at least 1.25.0 [generated]
  • 3aff304 go.mod: update golang.org/x dependencies
  • a7e5b04 go.mod: update golang.org/x dependencies
  • 943f25d x/term: handle transpose
  • 9b991dd x/term: handle delete key
  • 3863673 go.mod: update golang.org/x dependencies
  • 1231d54 go.mod: update golang.org/x dependencies
  • 3475bc8 term: fix some comments
  • 3a0828a go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

Updates helm.sh/helm/v3 from 3.18.6 to 3.20.1

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Backport of #31644: Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key
  • Backport of #31601: Fixed a bug where OCI references with tag+digest failed with "invalid byte" error

Installation and Upgrading

Download Helm v3.20.1. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
  • 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

  • chore(deps): bump the k8s-io group with 7 updates a2369ca71c0ef633bf6e4fccd66d634eb379b371 (dependabot[bot])
  • add image index test 90e10564f7ae746a153f3a03006e7061a54ad490 (Pedro Tôrres)
  • fix pulling charts from OCI indices 911f2e908ae40b01ca95b857e94b8894043f64fd (Pedro Tôrres)
  • Remove refactorring changes from coalesce_test.go 76dad33fb1a2b6451920429b4f5f2dd575ea71bb (Evans Mungai)
  • Fix import 45c12f71407b6054a37d3e425d5293ee79a1ab37 (Evans Mungai)
  • Update pkg/chart/common/util/coalesce_test.go 26c6f19f967941dbe53bfb5e52d419b3b3e46075 (Evans Mungai)
  • Fix lint warning 09f5129d49a14c9336cea6f33adf5f52889915ef (Evans Mungai)
  • Preserve nil values in chart already 417deb2b6b7504357b0f580b76f5eed1bb8a5270 (Evans Mungai)

... (truncated)

Commits
  • a2369ca chore(deps): bump the k8s-io group with 7 updates
  • 90e1056 add image index test
  • 911f2e9 fix pulling charts from OCI indices
  • 76dad33 Remove refactorring changes from coalesce_test.go
  • 45c12f7 Fix import
  • 26c6f19 Update pkg/chart/common/util/coalesce_test.go
  • 09f5129 Fix lint warning
  • 417deb2 Preserve nil values in chart already
  • 5417bfa fix(values): preserve nil values when chart default is empty map
  • b2e4314 Merge pull request #31718 from scottrigby/bump-3.20
  • Additional commits viewable in compare view

Updates github.com/docker/cli from 29.0.3+incompatible to 29.3.1+incompatible

Commits
  • c2be9cc Merge pull request #6887 from thaJeztah/29.x_backport_pin_actions
  • 0da6a51 ci: pin actions to digests
  • 6b3ca8f Merge pull request #6884 from thaJeztah/29.x_backport_missing_buildtags
  • f47603c Merge pull request #6885 from thaJeztah/29.x_backport_update_actions
  • 9709c8f build(deps): bump docker/metadata-action from 5 to 6
  • af45a23 build(deps): bump docker/bake-action from 6 to 7
  • bc97f5a Merge pull request #6883 from thaJeztah/29.x_backport_update_go1.25.8
  • 6d71967 cli/command: add missing "go:build" comments
  • 9b51892 update to go1.25.8
  • 5927d80 Merge pull request #6844 from vvoland/update-docker
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the oc-mirror-v2-version-updates group with 13 updates
818e936 
Bumps the oc-mirror-v2-version-updates group with 13 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.20.8-0.20260114192324-795787c558e1` | `0.21.3` |
| [github.com/operator-framework/operator-registry](https://github.com/operator-framework/operator-registry) | `1.50.0` | `1.65.0` |
| [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) | `1.9.3` | `1.9.4` |
| [github.com/spf13/cobra](https://github.com/spf13/cobra) | `1.10.1` | `1.10.2` |
| [github.com/spf13/pflag](https://github.com/spf13/pflag) | `1.0.9` | `1.0.10` |
| [github.com/vbauerster/mpb/v8](https://github.com/vbauerster/mpb) | `8.10.2` | `8.11.3` |
| [go.podman.io/common](https://github.com/containers/container-libs) | `0.65.0` | `0.67.0` |
| [go.podman.io/image/v5](https://github.com/containers/container-libs) | `5.37.0` | `5.39.1` |
| [go.podman.io/storage](https://github.com/containers/container-libs) | `1.60.0` | `1.62.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.41.0` | `0.49.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.34.0` | `0.41.0` |
| [helm.sh/helm/v3](https://github.com/helm/helm) | `3.18.6` | `3.20.1` |
| [github.com/docker/cli](https://github.com/docker/cli) | `29.0.3+incompatible` | `29.3.1+incompatible` |


Updates `github.com/google/go-containerregistry` from 0.20.8-0.20260114192324-795787c558e1 to 0.21.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](https://github.com/google/go-containerregistry/commits/v0.21.3)

Updates `github.com/operator-framework/operator-registry` from 1.50.0 to 1.65.0
- [Release notes](https://github.com/operator-framework/operator-registry/releases)
- [Commits](operator-framework/operator-registry@v1.50.0...v1.65.0)

Updates `github.com/sirupsen/logrus` from 1.9.3 to 1.9.4
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](sirupsen/logrus@v1.9.3...v1.9.4)

Updates `github.com/spf13/cobra` from 1.10.1 to 1.10.2
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.10.1...v1.10.2)

Updates `github.com/spf13/pflag` from 1.0.9 to 1.0.10
- [Release notes](https://github.com/spf13/pflag/releases)
- [Commits](spf13/pflag@v1.0.9...v1.0.10)

Updates `github.com/vbauerster/mpb/v8` from 8.10.2 to 8.11.3
- [Release notes](https://github.com/vbauerster/mpb/releases)
- [Commits](vbauerster/mpb@v8.10.2...v8.11.3)

Updates `go.podman.io/common` from 0.65.0 to 0.67.0
- [Release notes](https://github.com/containers/container-libs/releases)
- [Commits](containers/container-libs@common/v0.65.0...common/v0.67.0)

Updates `go.podman.io/image/v5` from 5.37.0 to 5.39.1
- [Release notes](https://github.com/containers/container-libs/releases)
- [Commits](containers/container-libs@image/v5.37.0...image/v5.39.1)

Updates `go.podman.io/storage` from 1.60.0 to 1.62.0
- [Release notes](https://github.com/containers/container-libs/releases)
- [Commits](containers/container-libs@storage/v1.60.0...storage/v1.62.0)

Updates `golang.org/x/crypto` from 0.41.0 to 0.49.0
- [Commits](golang/crypto@v0.41.0...v0.49.0)

Updates `golang.org/x/term` from 0.34.0 to 0.41.0
- [Commits](golang/term@v0.34.0...v0.41.0)

Updates `helm.sh/helm/v3` from 3.18.6 to 3.20.1
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.18.6...v3.20.1)

Updates `github.com/docker/cli` from 29.0.3+incompatible to 29.3.1+incompatible
- [Commits](docker/cli@v29.0.3...v29.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/operator-framework/operator-registry
  dependency-version: 1.65.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/sirupsen/logrus
  dependency-version: 1.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/spf13/cobra
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/spf13/pflag
  dependency-version: 1.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/vbauerster/mpb/v8
  dependency-version: 8.11.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: go.podman.io/common
  dependency-version: 0.67.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: go.podman.io/image/v5
  dependency-version: 5.39.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: go.podman.io/storage
  dependency-version: 1.62.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: golang.org/x/crypto
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: golang.org/x/term
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.20.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
- dependency-name: github.com/docker/cli
  dependency-version: 29.3.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: oc-mirror-v2-version-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 1, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 1, 2026
edited
Loading

Walkthrough

Updated Go toolchain version from 1.24.3 to 1.25.7. Refreshed module dependencies across primary and indirect require entries, including updates to ecosystem libraries and Kubernetes modules. Some indirect dependencies were added or removed. No code changes were made.

Changes

Cohort / File(s) Summary
Go Module Dependencies
go.mod		 Upgraded Go toolchain from 1.24.3 to 1.25.7. Updated versions for multiple primary dependencies (github.com/go-jose/go-jose/v4, github.com/google/go-containerregistry, github.com/operator-framework/operator-registry, github.com/sirupsen/logrus, github.com/spf13/cobra, helm.sh/helm/v3, k8s.io/*, etc.) and indirect dependencies (containerd/*, klauspost/compress, prometheus/*, sigstore/*, etc.). Added new indirect modules and removed previously listed entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/oc-mirror-v2-version-updates-9c8c7ebb48

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from adolfo-ab and aguidirh April 1, 2026 06:07
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 1, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 1, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 1, 2026

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: The Dockerfile's GO_VERSION variable is pinned to go1.23.5 but go.mod
requires Go 1.25.7; update the Dockerfile to set GO_VERSION to go1.25.7 (or
match the exact version string used in go.mod) so the build toolchain and go.mod
are consistent, and ensure any related references to GO_VERSION (build image
tags, download URLs) are updated accordingly to use go1.25.7.
- Line 42: The go.mod still pulls the vulnerable indirect module
github.com/docker/docker v28.5.2+incompatible; update go.mod to explicitly
require or replace github.com/docker/docker to v29.3.1 or later (matching the
upgraded github.com/docker/cli v29.3.1) so the vulnerable transitive version is
resolved, or add a clear justification in the repository docs explaining why
github.com/docker/docker is unreachable in your threat model; locate and change
the go.mod entry for github.com/docker/docker and run go mod tidy to ensure the
new version is used.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9fcbcba-e3b8-4b3c-85f3-0749946a5ff1

📥 Commits

Reviewing files that changed from the base of the PR and between 18c646f and 818e936.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
module github.com/openshift/oc-mirror/v2

go 1.24.3
go 1.25.7
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check repo pins for Go versions in common automation files.
set -euo pipefail

echo "== go directive =="
rg -n --no-heading '^go\s+[0-9]+\.[0-9]+(\.[0-9]+)?$' go.mod

echo
echo "== setup-go / golang image version pins in workflows and docs =="
rg -n --no-heading 'setup-go|go-version|golang:|GO_VERSION|go1\.[0-9]+' .github README.md Makefile Dockerfile* 2>/dev/null || true

Repository: openshift/oc-mirror

Length of output: 351

🏁 Script executed:

#!/bin/bash
# More comprehensive search for all Go version pins

echo "== All Dockerfile variants =="
find . -type f \( -name "Dockerfile*" -o -name "dockerfile*" \) | head -20

echo
echo "== GitHub Actions workflows =="
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -20

echo
echo "== Go version references in workflows =="
rg -n 'go-version|uses:.*setup-go' .github 2>/dev/null || echo "No matches in .github"

echo
echo "== Build scripts and other files =="
find . -type f \( -name "*.sh" -o -name "Makefile*" -o -name "*.mk" \) | grep -v node_modules | grep -v ".git" | head -20

Repository: openshift/oc-mirror

Length of output: 1824

🏁 Script executed:

#!/bin/bash
# Check key Dockerfiles and build scripts for Go version pins

echo "== Main Dockerfile =="
grep -n "GO_VERSION\|go1\." ./Dockerfile || echo "No matches"

echo
echo "== Docker CI/test variants =="
for f in ./images/cli/Dockerfile.{art,ci,test}; do
  if [ -f "$f" ]; then
    echo "File: $f"
    grep -n "GO_VERSION\|go1\." "$f" || echo "  No matches"
  fi
done

echo
echo "== Makefile =="
grep -n "GO_VERSION\|go1\." ./Makefile ./v1/Makefile 2>/dev/null || echo "No matches"

echo
echo "== hack/build.sh =="
if [ -f ./hack/build.sh ]; then
  grep -n "GO_VERSION\|go1\." ./hack/build.sh || echo "No matches"
fi

echo
echo "== Check for .github directory =="
ls -la .github 2>/dev/null || echo "No .github directory"

Repository: openshift/oc-mirror

Length of output: 842

Update Dockerfile to use Go 1.25.7

The Dockerfile pins GO_VERSION=go1.23.5 but go.mod specifies go 1.25.7. This mismatch will cause build failures. Update the Dockerfile to match the go.mod version.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The Dockerfile's GO_VERSION variable is pinned to go1.23.5
but go.mod requires Go 1.25.7; update the Dockerfile to set GO_VERSION to
go1.25.7 (or match the exact version string used in go.mod) so the build
toolchain and go.mod are consistent, and ensure any related references to
GO_VERSION (build image tags, download URLs) are updated accordingly to use
go1.25.7.

Comment thread go.mod

require (
github.com/docker/cli v29.0.3+incompatible
github.com/docker/cli v29.3.1+incompatible
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify vulnerable module is still present and whether any replace mitigates it.
set -euo pipefail

echo "== docker/docker entries in go.mod/go.sum =="
rg -n --no-heading 'github\.com/docker/docker|github\.com/docker/cli' go.mod go.sum || true

echo
echo "== replace directives referencing docker modules (if any) =="
rg -n --no-heading '^\s*replace\s+github\.com/docker/(docker|cli)' go.mod || true

Repository: openshift/oc-mirror

Length of output: 1015

🌐 Web query:

GHSA-pxq6-2prw-chj9 docker/docker CVE vulnerability

💡 Result:

GHSA-pxq6-2prw-chj9 is a moderate severity (CVSS 6.8) vulnerability in Moby (the open-source project behind Docker Engine), also tracked as CVE-2026-33997. It involves an off-by-one error (CWE-193) in the Docker daemon's plugin privilege validation logic during docker plugin install. Key details: - Affected versions: Moby/Docker Engine < 29.3.1 (github.com/moby/moby < 29.3.1, github.com/moby/moby/v2 vulnerable at 2.0.0-beta.7) - Fixed in: 29.3.1 (github.com/moby/moby/v2 >= 2.0.0-beta.8) - Impact: Malicious plugins can bypass privilege checks, gaining unintended permissions (e.g., broad device access). No impact if plugins are not used. Exploitation requires user approval of a malicious plugin install; Docker Desktop does not support plugins. - CVSS v3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N - Patch: moby/moby@f4d6f25 - Workarounds: Avoid untrusted plugins, review privileges carefully, restrict daemon access. - Reported by: Cody (c@wormhole.guru) Note: Docker plugins are legacy and uncommon; official docs: https://docs.docker.com/engine/extend/legacy_plugins/. NVD entry pending as of 2026-03-30.

Citations:

🌐 Web query:

GHSA-x744-4wpc-v9h2 docker/docker CVE vulnerability

💡 Result:

GHSA-x744-4wpc-v9h2 is a high-severity vulnerability (CVSS 8.8) in Moby (Docker Engine), also known as CVE-2026-34040. It allows attackers to bypass authorization plugins (AuthZ) using oversized request bodies in specially-crafted API requests. The Docker daemon forwards the request to the plugin without the body, potentially allowing requests that would otherwise be denied if the body was inspected. This is an incomplete fix for the prior CVE-2024-41110 (GHSA-v23v-6jw2-98fq). Affected: Moby/Docker Engine versions < 29.3.1 (Go package github.com/moby/moby). Patched: Version 29.3.1. Impact: Only affects users of AuthZ plugins that inspect request bodies for access control. Low base exploit likelihood. CWE-863 (Incorrect Authorization). Workarounds: Avoid AuthZ plugins relying on body inspection; restrict Docker API access to trusted parties. Published: 2026-03-27. Official advisory: GHSA-x744-4wpc-v9h2

Citations:

🌐 Web query:

docker/cli v29.3.1 dependencies docker/docker version

💡 Result:

docker/cli v29.3.1 is the CLI component of Docker Engine v29.3.1. It is a Go project without a standard go.mod file (marked as +incompatible in pkg.go.dev), built with Go runtime 1.25.8. Key updates in this release include packaging updates like containerd to v2.2.2 (in engine) and Go SDK fixes for build tags. No complete dependency list is explicitly stated in sources, but it depends on moby/moby components for API compatibility. Docker Engine (docker/docker) version corresponding is v29.3.1, released 2026-03-25.

Citations:

🌐 Web query:

github.com/docker/cli v29.3.1 go.mod moby/moby version dependencies

💡 Result:

The github.com/docker/cli repository at version v29.3.1 does not appear to have a standard go.mod file defining module dependencies in the conventional sense, as indicated by the "+incompatible" suffix on pkg.go.dev (https://pkg.go.dev/github.com/docker/cli@v29.3.1+incompatible). This means it is treated as a legacy GOPATH-style package without full Go modules support. The docker/cli project vendors its dependencies, including the Docker Engine client code previously from github.com/docker/docker (now deprecated), which has transitioned to github.com/moby/moby modules (client and api) starting with Docker v29. Vendor updates are done via PRs like docker/cli#6193, which bumped github.com/docker/docker to master (v29.0-dev). No explicit require for github.com/moby/moby is stated in sources for v29.3.1, but the CLI depends on the vendored Docker client code from moby/moby at the version aligned with Docker Engine v29.3.1 (tagged docker-v29.3.1 in moby/moby). Official docs reference parallel milestones for docker/cli 29.3.1 and moby/moby 29.3.1.

Citations:

Docker dependency update incomplete: github.com/docker/docker v28.5.2 remains vulnerable

Updating github.com/docker/cli to v29.3.1 does not automatically resolve the indirect github.com/docker/docker v28.5.2+incompatible dependency, which has known vulnerabilities:

Both are fixed in v29.3.1+. Add an explicit require/replace for github.com/docker/docker to v29.3.1 or later, or document why this dependency is not reachable in your threat model.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 42, The go.mod still pulls the vulnerable indirect module
github.com/docker/docker v28.5.2+incompatible; update go.mod to explicitly
require or replace github.com/docker/docker to v29.3.1 or later (matching the
upgraded github.com/docker/cli v29.3.1) so the vulnerable transitive version is
resolved, or add a clear justification in the repository docs explaining why
github.com/docker/docker is unreachable in your threat model; locate and change
the go.mod entry for github.com/docker/docker and run go mod tidy to ensure the
new version is used.

@aguidirh
Copy link
Copy Markdown
Contributor

aguidirh commented Apr 10, 2026

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 10, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 10, 2026

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/lint 818e936 link true /test lint
ci/prow/sanity 818e936 link true /test sanity
ci/prow/unit 818e936 link true /test unit
ci/prow/okd-scos-images 818e936 link true /test okd-scos-images
ci/prow/images 818e936 link true /test images
ci/prow/integration 818e936 link true /test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@adolfo-ab adolfo-ab Awaiting requested review from adolfo-ab

@aguidirh aguidirh Awaiting requested review from aguidirh

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aguidirh