OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#160
OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#160
Conversation
- Add toolchain go1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137) - golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw) - golang.org/x/sys v0.35.0 → v0.42.0 - golang.org/x/text v0.23.0 → v0.35.0 - golang.org/x/term v0.30.0 → v0.41.0 - golang.org/x/mod v0.22.0 → v0.33.0 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
|
@kaovilai: This pull request references OADP-7565 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
We could get this into dev and cherrypick? |
There was a problem hiding this comment.
Pull request overview
Updates the module’s Go toolchain and golang.org/x/* dependencies to pick up security fixes (Go stdlib CVEs via a pinned toolchain patch release, plus x/net and related transitive bumps).
Changes:
- Add
toolchain go1.25.8to ensure builds use a patched Go toolchain version. - Bump
golang.org/x/netto v0.52.0 and update relatedgolang.org/x/*indirect dependencies. - Refresh
go.sumaccordingly for the updated dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Adds a Go toolchain directive and bumps indirect golang.org/x/* versions to incorporate CVE fixes. |
| go.sum | Updates checksums for the new golang.org/x/* versions selected by the module graph. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kaovilai, mpryc The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
toolchain go1.25.8directive to fix Go stdlib CVEs:golang.org/x/netv0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)x/sys→ v0.42.0,x/text→ v0.35.0,x/term→ v0.41.0,x/mod→ v0.33.0Note
golang.org/x/cryptois not in this module's dependency graph — those CVEs do not apply here.Test plan
go build ./...passesNote
Responses generated with Claude