OCPBUGS-43501: fix kargs handling in ABI Minimal ISO

[zaneb]

Update to the latest assisted-image-service library with the fix for
kargs in the minimal ISO, allowing them to be manipulated with
coreos-installer.

Note that this PR also includes a commit from #10315, which first updates assisted-image-service to a slightly earlier version, so that we can keep track of when the various changes are introduced.

Summary by CodeRabbit

• Chores
  • Updated project dependencies to latest compatible versions for improved stability and security.

[openshift-ci-robot]

@zaneb: This pull request references Jira Issue OCPBUGS-43501, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Update to the latest assisted-image-service library with the fix for
kargs in the minimal ISO, allowing them to be manipulated with
coreos-installer.

Note that this PR also includes a commit from #10315, which first updates assisted-image-service to a slightly earlier version, so that we can keep track of when the various changes are introduced.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates five direct dependencies in go.mod to newer versions: diskfs (to a prerelease version), go-version (to v1.8.0), gomega (to v1.39.1), assisted-image-service (to a new prerelease), and logrus (to v1.9.4). It also adds an indirect dependency for go-lzo and reorganizes indirect dependency entries.

Changes

Go Module Dependency Updates

Layer / File(s)	Summary
Direct dependency version updates go.mod	Five direct dependencies are updated: github.com/diskfs/go-diskfs to v1.7.1 prerelease, github.com/hashicorp/go-version to v1.8.0, github.com/onsi/gomega to v1.39.1, github.com/openshift/assisted-image-service to a new prerelease, and github.com/sirupsen/logrus from prerelease to v1.9.4 stable release.
Indirect dependency consolidation go.mod	Indirect dependencies are consolidated and reordered: github.com/anchore/go-lzo is added as v0.1.0, and existing indirect entries for github.com/djherbis/times and github.com/klauspost/compress are relocated within the indirect require blocks.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly references the bug (OCPBUGS-43501) and accurately describes the main change: fixing kargs handling in the Minimal ISO, which aligns with the primary objective of updating assisted-image-service to fix kernel arguments handling.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only go.mod (dependency versions); no test files or Ginkgo test names are added or modified, making this check inapplicable.
Test Structure And Quality	✅ Passed	This PR only modifies go.mod (dependency version updates) and contains no Ginkgo test code changes, making the test structure check not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR only modifies go.mod/go.sum for dependency updates; no new Ginkgo e2e tests are added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are limited to dependency version updates in go.mod, making this check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies go.mod (dependency versions); does not add/modify deployment manifests, operator code, or scheduling constraints. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR contains dependency updates only; no process-level code changes introduce stdout violations. main() properly configures klog to io.Discard and logrus to stderr per OTE contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. All new test files use standard Go unit tests (testing.T), not Ginkgo framework (no github.com/onsi/ginkgo imports found).
No-Weak-Crypto	✅ Passed	PR modifies only go.mod, updating dependencies to newer versions and adding anchore/go-lzo (LZO compression, no crypto). No weak cryptography is introduced by these changes.
Container-Privileges	✅ Passed	This PR modifies only go.mod, go.sum, and vendored dependencies. It does not create or modify any Kubernetes manifests or container configuration files.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, credentials) exposed in logging. IP addresses logged for node monitoring are standard operational data, not security-sensitive.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zaneb]

/jira refresh

[openshift-ci-robot]

@zaneb: This pull request references Jira Issue OCPBUGS-43501, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mhanss

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references Jira Issue OCPBUGS-43501, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mhanss

Details

In response to this:

Update to the latest assisted-image-service library with the fix for
kargs in the minimal ISO, allowing them to be manipulated with
coreos-installer.

Note that this PR also includes a commit from #10315, which first updates assisted-image-service to a slightly earlier version, so that we can keep track of when the various changes are introduced.

Summary by CodeRabbit

• Chores
• Updated project dependencies to latest compatible versions for improved stability and security.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 164-173: Update the vulnerable indirect module
github.com/go-jose/go-jose/v4 from v4.1.3 to a patched release (e.g., v4.1.4) in
go.mod and re-resolve modules so go.sum is refreshed; specifically change the
version entry for github.com/go-jose/go-jose/v4 to v4.1.4 (or newer), then run
the module resolution commands (e.g., go get
github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to update go.sum and
ensure the vulnerability GHSA-78h2-9frx-2jm8 / GO-2026-4945 is patched.
- Line 45: Replace the pseudo-version pins with stable tagged releases by
updating the module entries for github.com/diskfs/go-diskfs and
github.com/openshift/assisted-image-service to their latest stable semver tags
(replace the v1.7.1-... and v0.0.0-... pseudo-versions), bump
github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 (or later) to address
GHSA-78h2-9frx-2jm8, and either remove or document the justification/license
evidence for the indirect github.com/anchore/go-lzo dependency if it was
introduced here; after editing go.mod run the standard go toolchain steps (go
get ./..., go mod tidy) to update go.sum and verify builds/tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 886780ad-0898-4ce1-a044-987f8691bb2a

📥 Commits

Reviewing files that changed from the base of the PR and between ae2ae05 and df4b6e6.

⛔ Files ignored due to path filters (110)

• go.sum is excluded by !**/*.sum
• vendor/github.com/anchore/go-lzo/.binny.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/.bouncer.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/.goreleaser.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/DEVELOPING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/Taskfile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/anchore/go-lzo/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/backend/file/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/backend/interface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/backend/substorage.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/disk/disk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/disk/disk_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/diskfs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/blockgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/checksum.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/ext4.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/extent.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/groupdescriptors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/ext4/superblock.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/directory.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/directoryentry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/fat32.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/fileinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/fsinfosector.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/fat32/table.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/filesystem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/directoryentry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/eltorito.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/finalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/iso9660.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/rockridge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/statt_others.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/iso9660/volume_descriptor.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/compressor.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/directoryentry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/finalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/finalize_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/finalizefileinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/fragment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/inode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/squashfs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/superblock.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/filesystem/squashfs/xattr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/gpt/partition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/gpt/table.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/mbr/partition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/mbr/table.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/part/partition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/partition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/partition/table.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/util/bitmap/bitmap.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/util/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/util/slices/uniqify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/util/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/diskfs/go-diskfs/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/gomock/call.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/gomock/callset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/gomock/controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/gomock/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/mock/gomock/matchers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/hashicorp/go-version/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/hashicorp/go-version/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/hashicorp/go-version/constraint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/hashicorp/go-version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/hashicorp/go-version/version_collection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/isoutil.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/mock_editor.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/mock_executer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/mock_nmstate_handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/mock_nmstatectl_extractor.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/mock_nmstatectl_extractor_factory.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/nmstate_handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/assisted-image-service/pkg/isoeditor/rhcos.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/appveyor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/entry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/hooks.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/hooks/test/test.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logrus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/text_formatter.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

`For each module below, find the latest stable (non-prerelease, non-pseudo-version) release and whether the required fix exists in that stable tag:

• github.com/diskfs/go-diskfs
• github.com/openshift/assisted-image-service
  Also check whether either referenced pseudo-version was later yanked or superseded due to regressions.`

💡 Result:

1. github.com/diskfs/go-diskfs - Latest stable (non-prerelease, non-pseudo-version) release as of 2026-05-28: v1.9.3 [1]. - Whether the required fix exists in that stable tag: Not determinable from the provided prompt, because the prompt does not specify what “required fix” (commit/issue/PR or change) you are referring to; pkg.go.dev only provides version listings, not fix content for an unspecified bug [1]. - Pseudo-version yanked/superseded check for referenced pseudo-versions: No referenced pseudo-versions were included in your question, so I cannot check whether any were yanked or superseded [1]. 2) github.com/openshift/assisted-image-service - Latest stable (non-prerelease, non-pseudo-version) release as of 2026-05-28: None found. pkg.go.dev shows only pseudo-versions (e.g., v0.0.0-20260130194910-a0962593c2d2) and no semver “stable tag” release number (like vX.Y.Z) [2]. - Whether the required fix exists in that stable tag: Not determinable, because there is no stable semver tag to check and the prompt does not specify which fix you mean (commit/issue/PR) [2]. - Pseudo-version yanked/superseded check for referenced pseudo-versions: No referenced pseudo-versions were included in your question, so I cannot verify yanking/supersession due to regressions [2]. What I need from you to complete the “required fix” + “referenced pseudo-versions yanked/superseded” parts - The exact pseudo-version strings you want checked for both modules. - The fix identifier for each module (e.g., the GitHub issue/PR number, commit SHA, or the file/function/behavior that should change). Once you provide those, I can (a) map whether the fix is present in the latest stable tag (or the latest commit behind a pseudo-version if no semver tag exists) and (b) confirm whether the specified pseudo-versions were later marked yanked or replaced (including regression notes) with additional targeted searches.

Citations:

• 1: https://pkg.go.dev/github.com/diskfs/go-diskfs
• 2: https://pkg.go.dev/github.com/openshift/assisted-image-service@v0.0.0-20260130194910-a0962593c2d2

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant go.mod sections around the line numbers mentioned in the review comment
target_file="go.mod"
if [ ! -f "$target_file" ]; then
  echo "Missing $target_file in repo root"
  exit 1
fi

echo "=== go.mod: lines 35-90 ==="
sed -n '35,90p' "$target_file" | nl -ba -w2 -s': '

echo "=== go.mod: lines 140-200 ==="
sed -n '140,200p' "$target_file" | nl -ba -w2 -s': '

echo "=== go.mod: show go version and module (top) ==="
sed -n '1,40p' "$target_file" | nl -ba -w2 -s': '

Repository: openshift/installer

Length of output: 153

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="go.mod"
[ -f "$file" ] || { echo "Missing $file"; exit 1; }

echo "=== go.mod: exact lines 35-90 ==="
awk 'NR>=35 && NR<=90 {printf "%d: %s\n", NR, $0}' "$file"

echo
echo "=== go.mod: exact lines 140-200 ==="
awk 'NR>=140 && NR<=200 {printf "%d: %s\n", NR, $0}' "$file"

echo
echo "=== go.mod: matching modules ==="
rg -n --no-heading 'github\.com/diskfs/go-diskfs|github\.com/openshift/assisted-image-service|github\.com/anchore/go-lzo|github\.com/go-jose/go-jose/v4' "$file" || true

echo
echo "=== go.mod: any replace directives ==="
rg -n --no-heading '^\s*replace\s' "$file" || true

Repository: openshift/installer

Length of output: 7919

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== git diff --stat -- go.mod ==="
git diff --stat -- go.mod || true

echo
echo "=== git diff -- go.mod (limited context) ==="
git diff -U3 -- go.mod | sed -n '1,200p'

Repository: openshift/installer

Length of output: 143

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== git status -sb ==="
git status -sb || true

echo
echo "=== go.mod mtime + size ==="
stat -c '%n %y %s' go.mod || true

echo
echo "=== check if go.mod contains the claimed modules ==="
rg -n --no-heading 'github\.com/diskfs/go-diskfs v|github\.com/openshift/assisted-image-service v|github\.com/anchore/go-lzo v|github\.com/go-jose/go-jose/v4 v' go.mod || true

Repository: openshift/installer

Length of output: 506

---

🌐 Web query:

osv.dev github.com/go-jose/go-jose/v4 v4.1.3 affected fixed

💡 Result:

The Go module github.com/go-jose/go-jose/v4 at version v4.1.3 is affected by a security vulnerability identified as GHSA-78h2-9frx-2jm8 [1][2]. Vulnerability Details: The issue involves a panic during JSON Web Encryption (JWE) decryption [1][3]. The panic is triggered when the alg field in a JWE object specifies a key wrapping algorithm (specifically those ending in KW, excluding A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty [1][2]. This behavior occurs because the cipher.KeyUnwrap function attempts to allocate a slice with a zero or negative length based on the length of the empty encrypted_key field [1][2]. Affected Versions: - github.com/go-jose/go-jose/v4: Version v4.1.3 is affected [1][4]. Fixed Versions: - The vulnerability is fixed in version v4.1.4 and later [1][2][5]. Mitigation: If upgrading to v4.1.4 is not immediately possible, you can mitigate this vulnerability if your application does not require key wrapping algorithms. If the list of keyAlgorithms passed to ParseEncrypted, ParseEncryptedJSON, or ParseEncryptedCompact excludes key wrapping algorithms (those ending in KW), the application remains unaffected [1][3]. Additionally, developers using key wrapping can implement pre-validation to ensure the encrypted_key field in the JWE object is not empty [1][2].

Citations:

• 1: https://osv.dev/vulnerability/GHSA-78h2-9frx-2jm8
• 2: chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (release-2.1) crossplane/crossplane#7265
• 3: https://test.osv.dev/vulnerability/GHSA-78h2-9frx-2jm8
• 4: https://deps.dev/advisory/osv/GHSA-78h2-9frx-2jm8
• 5: https://pkg.go.dev/github.com/go-jose/go-jose/v4

---

Replace disallowed pseudo-version pins and upgrade vulnerable go-jose

• go.mod pins prerelease pseudo-versions for production dependencies:
  • github.com/diskfs/go-diskfs v1.7.1-0.20251217162235-58541aa8f559 (line 45)
  • github.com/openshift/assisted-image-service v0.0.0-20260428115106-2b81dd8e7120 (line 75)
    Replace with tagged stable releases (or document a written exception + follow-up target).
• github.com/go-jose/go-jose/v4 v4.1.3 (line 171) is affected by GHSA-78h2-9frx-2jm8; fixed in v4.1.4+ → bump to v4.1.4 or later.
• github.com/anchore/go-lzo v0.1.0 // indirect (line 164): if introduced in this change, provide need/license evidence per policy.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 45, Replace the pseudo-version pins with stable tagged
releases by updating the module entries for github.com/diskfs/go-diskfs and
github.com/openshift/assisted-image-service to their latest stable semver tags
(replace the v1.7.1-... and v0.0.0-... pseudo-versions), bump
github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 (or later) to address
GHSA-78h2-9frx-2jm8, and either remove or document the justification/license
evidence for the indirect github.com/anchore/go-lzo dependency if it was
introduced here; after editing go.mod run the standard go toolchain steps (go
get ./..., go mod tidy) to update go.sum and verify builds/tests.

[zaneb]

These are the versions from the library module.
go-diskfs is pinned because it contains an important unreleased bug fix.
go-lzo is MIT licensed.

[coderabbitai]

@zaneb, understood — thanks for the context. The pseudo-version pins make sense given the fixes aren't yet in a stable upstream release, and MIT is unambiguously acceptable for go-lzo.

The one outstanding item from the original review that wasn't covered: github.com/go-jose/go-jose/v4 v4.1.3 is affected by GHSA-78h2-9frx-2jm8 (panic on JWE decryption when encrypted_key is empty, fixed in v4.1.4). Is that within scope to bump here, or is it also constrained by a transitive dependency floor from assisted-image-service?

---

✏️ Learnings added

Learnt from: zaneb
Repo: openshift/installer PR: 10578
File: go.mod:45-45
Timestamp: 2026-05-28T05:25:56.279Z
Learning: In the openshift/installer repository (go.mod), the pseudo-version pin `github.com/diskfs/go-diskfs v1.7.1-0.20251217162235-58541aa8f559` is intentional: it tracks an important bug fix that is not yet part of any stable upstream release. Do not flag this as a policy violation.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[zaneb]

go-jose has nothing to do with this patch and isn't modified by it.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Check vulnerable module in go.mod:"
rg -n 'github.com/go-jose/go-jose/v4' go.mod go.sum

echo
echo "Query OSV for affected range:"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name":"github.com/go-jose/go-jose/v4","ecosystem":"Go"},
  "version":"4.1.3"
}' | jq '.vulns[] | {id, summary, aliases, affected: .affected[].ranges}'

Repository: openshift/installer

Length of output: 2072

---

Bump vulnerable dependency github.com/go-jose/go-jose/v4 from 4.1.3 to a patched release.

go.mod includes github.com/go-jose/go-jose/v4 v4.1.3 (indirect; go.mod line ~171; go.sum entries for v4.1.3). OSV reports GHSA-78h2-9frx-2jm8 / GO-2026-4945 (aliases include CVE-2026-34986) affecting this version, with the fix in v4.1.4. Update to v4.1.4 (or newer patched) and re-resolve to refresh go.sum hashes.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 171-171: github.com/go-jose/go-jose/v4 4.1.3: Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose

(GO-2026-4945)

---

[HIGH] 171-171: github.com/go-jose/go-jose/v4 4.1.3: Go JOSE Panics in JWE decryption

(GHSA-78h2-9frx-2jm8)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 164 - 173, Update the vulnerable indirect module
github.com/go-jose/go-jose/v4 from v4.1.3 to a patched release (e.g., v4.1.4) in
go.mod and re-resolve modules so go.sum is refreshed; specifically change the
version entry for github.com/go-jose/go-jose/v4 to v4.1.4 (or newer), then run
the module resolution commands (e.g., go get
github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to update go.sum and
ensure the vulnerability GHSA-78h2-9frx-2jm8 / GO-2026-4945 is patched.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@zaneb: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.