Skip to content

Bump the other-go-modules group across 1 directory with 2 updates#76

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/other-go-modules-28e804c064
Open

Bump the other-go-modules group across 1 directory with 2 updates#76
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/other-go-modules-28e804c064

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps the other-go-modules group with 1 update in the / directory: github.com/onsi/ginkgo/v2.

Updates github.com/onsi/ginkgo/v2 from 2.28.1 to 2.32.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.32.0

2.32.0

-fd generate RSpec-style documentation output. Thank @​woodie ! --sleep-on-failure pauses a failed spec before teardown. Thanks @​qinqon !

v2.31.0

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

v2.30.0

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

  • Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

v2.29.0

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

v2.28.3

2.28.3

Maintenance

Bump all dependencies

v2.28.2

2.28.2

  • Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
  • Implement shell completion [94151c8]
  • Add asan CLI option mirroring msan implementation [4d21dbb]
  • Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
  • fix aspect ratio [9619647]
  • update logos [5779304]
Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.32.0

-fd generate RSpec-style documentation output. Thank @​woodie ! --sleep-on-failure pauses a failed spec before teardown. Thanks @​qinqon !

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

  • Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

2.28.3

Maintenance

Bump all dependencies

2.28.2

  • Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
  • Implement shell completion [94151c8]
  • Add asan CLI option mirroring msan implementation [4d21dbb]
  • Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
  • fix aspect ratio [9619647]
  • update logos [5779304]
Commits
  • 9ff1646 v2.32.0
  • 0491f2a Make -fd exclusive of -p/-procs and -randomize-all
  • 334f74a respect SilenceSkips in fd mode, add test
  • 21047ce No need for a new method.
  • 7d281e1 Break out to two methods.
  • 5313727 More integration, fewer changes.
  • b83f524 Fewer new methods.
  • 73c59df feat: add -fd flag for RSpec-style documentation output
  • 76a2074 feat: add --sleep-on-failure to pause a failed spec before teardown
  • 3c7bde4 v2.31.0
  • Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.39.1 to 1.40.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Commits

Summary by CodeRabbit

  • Chores
    • Updated several Go dependencies to newer versions, including testing and tooling libraries.
    • Kept the module file in sync with current upstream releases for better compatibility and maintenance.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Walkthrough

go.mod updates pinned versions for github.com/onsi/ginkgo/v2, github.com/onsi/gomega, github.com/google/pprof, and several golang.org/x/* indirect dependencies.

Changes

Dependency Version Bumps

Layer / File(s) Summary
Module version bumps
go.mod
Updates the pinned versions for ginkgo/v2, gomega, google/pprof, and the indirect golang.org/x/* modules x/mod, x/net, x/sync, x/sys, x/term, x/text, and x/tools.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 16
✅ Passed checks (16 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Operator Image Source ✅ Passed PR only updates go.mod/go.sum and vendored deps; no controller/API image logic changed, and operator still reads PF_STATUS_RELAY_IMAGE.
Stable And Deterministic Test Names ✅ Passed No real Ginkgo DSL calls or *_test.go changes appeared in the PR; it only bumps vendored deps and library code.
Test Structure And Quality ✅ Passed PR only updates go.mod/go.sum and vendored deps; no repository test files or Ginkgo test patterns changed, so this check is not applicable.
Microshift Test Compatibility ✅ Passed No new repo e2e/spec tests were added; the PR only bumps Go modules and vendored upstream deps.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only bumps Go module/vendor dependencies; no new repo e2e tests or SNO-sensitive Ginkgo specs were added.
Topology-Aware Scheduling Compatibility ✅ Passed Diff only updates go.mod/go.sum and vendored deps; no manifests or controller code changed, so no topology-sensitive scheduling is introduced.
Ote Binary Stdout Contract ✅ Passed No repo-owned main/init/TestMain/suite hooks changed; the new fmt.Println calls are confined to vendored Ginkgo CLI packages, not the OTE test binary.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Diff only updates go.mod/vendor deps; no new _test.go or Ginkgo e2e specs were added, so IPv4/external-connectivity checks don't apply.
No-Weak-Crypto ✅ Passed PASS: The PR only bumps Go deps; diff review found no added MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret-comparison code.
Container-Privileges ✅ Passed PR only bumps Go deps/vendor files; no changed container/K8s manifests or privileged/securityContext settings were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No sensitive-data logging was added; the new prints only warn about fd mode and report a local install path, with no secrets/PII/token handling.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the dependency update scope and accurately reflects that two Go modules were bumped in the repository root.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/other-go-modules-28e804c064

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from SchSeba and karampok June 24, 2026 01:43
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign karampok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 78-86: Update the golang.org/x/net module from v0.53.0 to v0.55.0
or later to address CVEs GO-2026-5025 and GO-2026-5030 in HTML parsing. Update
the golang.org/x/sys module from v0.43.0 to v0.45.0 or later to address CVE
GO-2026-5024 in Windows NTLM string conversion (note that v0.44.0 is
insufficient, use v0.45.0 or later). Additionally, inspect the
github.com/google/pprof dependency to replace its pseudo-version pin with a
released version to comply with supply chain security guidelines.
- Around line 78-86: Update the golang.org/x/net dependency from v0.53.0 to
v0.55.0 or later and the golang.org/x/sys dependency from v0.43.0 to v0.44.0 or
later in the go.mod file to address the identified CVEs. After making these
version changes, run the pre-commit checks by executing make generate, make
manifests, go mod tidy, go mod vendor, and hack/align-ocp-version.sh to ensure
compatibility and stage any resulting changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 31f5b42f-9cc4-4468-ba88-33d917dc7622

📥 Commits

Reviewing files that changed from the base of the PR and between c0ce5e1 and 9d610d8.

⛔ Files ignored due to path filters (94)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/helpergo_dsl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/html/iter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/html/node.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/html/nodetype_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/hpack/tables.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched_random.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sync/singleflight/singleflight.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/aliases.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/dll_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/security_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/message/catalog/catalog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/message/catalog/dict.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/message/catalog/go19.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/message/catalog/gopre19.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/packages/golist.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/ureader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !vendor/**, !**/vendor/**
  • vendor/modules.txt is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
Comment on lines +78 to +86
golang.org/x/mod v0.35.0 // indirect
golang.org/x/net v0.53.0 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/term v0.39.0 // indirect
golang.org/x/text v0.33.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.43.0 // indirect
golang.org/x/term v0.42.0 // indirect
golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.41.0 // indirect
golang.org/x/tools v0.44.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Extract go.mod header to determine the effective Go toolchain version (required by retrieved learning)
echo "=== go.mod header (toolchain / go directives) ==="
head -n 10 go.mod

# Cross-reference with osv.dev for CVE details and Go version applicability
echo ""
echo "=== Verify CVE details on osv.dev (check Go version applicability) ==="
echo "Vulnerabilities flagged by OSV Scanner above. Check:"
echo "  - https://osv.dev/list?ecosystem=Go"
echo "  - Filter by go.golang.org/x/net, go.golang.org/x/sys"
echo "  - Cross-reference affected versions with the Go toolchain version extracted above"

Repository: openshift/pf-status-relay-operator

Length of output: 747


🏁 Script executed:

#!/bin/bash
# Extract full go.mod to see all golang.org/x/* versions and google/pprof
echo "=== Full go.mod lines 40-90 (all google/pprof and golang.org/x/* deps) ==="
sed -n '40,90p' go.mod

echo ""
echo "=== Check for google/pprof in full go.mod ==="
grep -n "google/pprof" go.mod || echo "Not found in direct search; checking indirect markers..."
grep -n "pprof" go.mod

Repository: openshift/pf-status-relay-operator

Length of output: 3185


🏁 Script executed:

#!/bin/bash
# Search codebase for vulnerable code path usage patterns
# Check for HTML parsing from golang.org/x/net
echo "=== Searching for HTML/net parsing code paths ==="
rg -t go "(net\.HTML|html\.Parse|golang\.org/x/net/html)" --no-heading

echo ""
echo "=== Searching for IDNA usage ==="
rg -t go "(idna|IDNA)" --no-heading

echo ""
echo "=== Searching for Windows NTLM usage ==="
rg -t go "(NTLM|NTUnicode|golang\.org/x/sys/windows)" --no-heading

Repository: openshift/pf-status-relay-operator

Length of output: 222


🌐 Web query:

golang.org/x/net v0.53.0 CVE GO-2026-5025 GO-2026-5030 Go 1.25 applicability

💡 Result:

The vulnerabilities GO-2026-5025 and GO-2026-5030 affect the golang.org/x/net module [1][2][3]. Both vulnerabilities involve the parsing of arbitrary HTML in golang.org/x/net/html, which can lead to the creation of an unexpected HTML tree and be leveraged for Cross-Site Scripting (XSS) attacks in applications that sanitize HTML input before rendering it [1][2][4]. Applicability: - Affected Versions: Versions of golang.org/x/net/html before v0.55.0 are affected [1][2][5]. - Specific Version: Your specified version, golang.org/x/net v0.53.0, is vulnerable to both issues [3][6]. - Mitigation: Users should update the golang.org/x/net module to version v0.55.0 or later to resolve these vulnerabilities [5][4][7]. Go 1.25 Applicability: Go 1.25 is a separate release from the Go language toolchain (released August 2025) [8][9]. While your environment might be using Go 1.25, the vulnerability resides within the third-party golang.org/x/net module, which is managed independently of the Go standard library version [3]. You must update the external module dependency regardless of your Go toolchain version [4][7].

Citations:


🌐 Web query:

golang.org/x/sys v0.43.0 CVE GO-2026-5024 Windows NTLM integer overflow

💡 Result:

The vulnerability identified as GO-2026-5024 (CVE-2026-39824) involves an integer overflow in the NewNTUnicodeString function within the golang.org/x/sys/windows package [1][2][3]. The issue stems from the function failing to check for string length overflow when converting a string to a NTUnicodeString [1][4]. Specifically, the length in bytes is calculated using a uint16, meaning that input strings exceeding the capacity of a 16-bit number of bytes would cause an overflow, resulting in a truncated string being returned instead of an error [1][5][3]. Key details regarding this vulnerability include: - Affected Versions: golang.org/x/sys/windows versions prior to v0.44.0 [1][6]. - Resolution: The issue was addressed in version v0.45.0, where the function now correctly returns an error when provided with a string that is too long [3]. - Context: While the report specifies an integer overflow, it is not explicitly categorized as an NTLM-specific vulnerability in official Go security documentation, though it concerns Windows system interactions [1][3]. Some confusion may exist with other NTLM-related vulnerabilities, such as CVE-2026-32952, which affects the unrelated go-ntlmssp package [7]. The Go Security Team published this advisory on May 22, 2026 [1][2][3]. Developers using versions of golang.org/x/sys earlier than v0.44.0 (including v0.43.0) are advised to update to a patched version [1][8][3].

Citations:


Update golang.org/x/net to v0.55.0+ and golang.org/x/sys to v0.45.0+ to address confirmed CVEs.

Code path analysis shows your operator does not invoke the vulnerable functions (no HTML parsing, IDNA, or Windows NTLM usage found), so current exploitability risk is low. However, the CVEs are confirmed and patches are available:

  • golang.org/x/net v0.53.0v0.55.0+: Fixes GO-2026-5025 and GO-2026-5030 (HTML parsing XSS vulnerabilities in golang.org/x/net/html).
  • golang.org/x/sys v0.43.0v0.45.0+: Fixes GO-2026-5024 (integer overflow in Windows NTLM string conversion). Note: v0.44.0 is insufficient; use v0.45.0 or later.

These updates are required for supply chain security compliance even though your code does not currently trigger these code paths.

Additionally, github.com/google/pprof (line 44) is pinned to a pseudo-version (v0.0.0-20260402051712-545e8a4df936), which violates the supply chain security guideline requiring exact version pins. Verify this is intentional or replace with a released version.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

(GO-2026-5025)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

(GO-2026-5026)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

(GO-2026-5027)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

(GO-2026-5028)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

(GO-2026-5029)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking duplicate attributes can cause XSS in golang.org/x/net/html

(GO-2026-5030)


[LOW] 82-82: golang.org/x/sys 0.43.0: Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

(GO-2026-5024)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 78 - 86, Update the golang.org/x/net module from v0.53.0
to v0.55.0 or later to address CVEs GO-2026-5025 and GO-2026-5030 in HTML
parsing. Update the golang.org/x/sys module from v0.43.0 to v0.45.0 or later to
address CVE GO-2026-5024 in Windows NTLM string conversion (note that v0.44.0 is
insufficient, use v0.45.0 or later). Additionally, inspect the
github.com/google/pprof dependency to replace its pseudo-version pin with a
released version to comply with supply chain security guidelines.

🔒 Security & Privacy | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Extract go.mod header to determine effective Go toolchain version for CVE assessment
head -n 10 go.mod

Repository: openshift/pf-status-relay-operator

Length of output: 395


🏁 Script executed:

#!/bin/bash
# Extract full go.mod to locate google/pprof and verify indirect dependencies
cat go.mod

Repository: openshift/pf-status-relay-operator

Length of output: 5200


🏁 Script executed:

#!/bin/bash
# Search for usage of golang.org/x/net and golang.org/x/sys in the codebase
echo "=== golang.org/x/net usage ===" && \
rg 'golang\.org/x/net' --type go -l && \
echo "=== golang.org/x/sys usage ===" && \
rg 'golang\.org/x/sys' --type go -l

Repository: openshift/pf-status-relay-operator

Length of output: 203


🌐 Web query:

GO-2026-5025 GO-2026-5026 golang.org/x/net CVE 2026

💡 Result:

The identifiers GO-2026-5025 and GO-2026-5026 refer to vulnerability reports in the Go ecosystem affecting the golang.org/x/net package, which were addressed in version v0.55.0 [1][2][3]. GO-2026-5025 corresponds to CVE-2026-42506 [1][4][5]. It involves an issue where parsing arbitrary HTML can result in an unexpected HTML tree, potentially allowing Cross-Site Scripting (XSS) in applications that sanitize input HTML before rendering [1][5]. The vulnerability affects the golang.org/x/net/html package [1][4]. Note that the identifier CVE-2026-5025 is unrelated to Go and instead refers to a vulnerability in the Langflow application (missing authorization in log endpoints) [6][7]. GO-2026-5026 corresponds to CVE-2026-39821 [2][8]. It involves an issue in the golang.org/x/net/idna package where the ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label [2][3]. This can lead to privilege escalation by bypassing hostname-based security checks [2][3]. Similar to the other identifier, CVE-2026-5026 is also reused in unrelated contexts, specifically referring to a stored XSS vulnerability in a different product [9][10][11]. In summary: - GO-2026-5025: Affects golang.org/x/net/html (CVE-2026-42506) [1][5]. - GO-2026-5026: Affects golang.org/x/net/idna (CVE-2026-39821) [2][8]. - Both vulnerabilities were resolved in golang.org/x/net version v0.55.0 [1][2][3].

Citations:


🏁 Script executed:

#!/bin/bash
# Search for CVE identifiers GO-2026-5027 through GO-2026-5030 and GO-2026-5024
# Also check if google/pprof is in tools.go or build scripts
echo "=== Checking for tools.go (pprof usage) ===" && \
find . -name "tools.go" -type f -exec cat {} \; && \
echo "=== Checking Makefile for pprof references ===" && \
grep -i pprof Makefile || true

Repository: openshift/pf-status-relay-operator

Length of output: 263


🌐 Web query:

GO-2026-5027 GO-2026-5028 GO-2026-5029 GO-2026-5030 golang.org/x/net CVE

💡 Result:

The vulnerability reports you referenced (GO-2026-5027, GO-2026-5028, and GO-2026-5029) are part of the Go Vulnerability Database and relate to security issues in the golang.org/x/net package [1][2][3][4]. These vulnerabilities were addressed in golang.org/x/net version v0.55.0 [1]. Details for each are as follows: GO-2026-5027: This report corresponds to CVE-2026-42506, which involves incorrect handling of namespaced elements in foreign content within the golang.org/x/net/html parser [1][5]. This could be leveraged to execute Cross-Site Scripting (XSS) attacks in applications that attempt to sanitize input HTML before rendering [5]. GO-2026-5028: This report corresponds to CVE-2026-25680, which involves a denial-of-service vulnerability in golang.org/x/net/html [3]. Parsing arbitrary HTML can consume excessive CPU time [3]. GO-2026-5029: This report corresponds to CVE-2026-25681, which involves incorrect handling of character references in DOCTYPE nodes within the golang.org/x/net/html parser [1][2]. Similar to GO-2026-5027, this can lead to XSS when rendering parsed HTML [1]. Regarding GO-2026-5030, it is listed in the Go Vulnerability Database [4], but specific public details for this exact identifier were not surfaced in the search results provided. To obtain official information on all Go security advisories, you can consult the Go Vulnerability Database at https://vuln.go.dev/ or browse reports at https://pkg.go.dev/vuln/ [4][6].

Citations:


🌐 Web query:

GO-2026-5024 golang.org/x/sys CVE

💡 Result:

GO-2026-5024 (also identified as CVE-2026-39824) is a security vulnerability in the golang.org/x/sys/windows package [1][2][3]. The vulnerability involves the NewNTUnicodeString function, which fails to correctly validate input string lengths against the maximum capacity of an NTUnicodeString structure [1][4]. In Windows, NTUnicodeString structures use a 16-bit field to store the length of the string in bytes. When a provided string exceeds this maximum size, the function performs a silent truncation of the string instead of returning an error [2][5][6]. This behavior can lead to integer overflow or wraparound issues, potentially causing data integrity problems or unexpected application behavior when relying on this function for Unicode string handling [3][6]. The vulnerability was published on May 22, 2026 [2][3]. It affects versions of golang.org/x/sys prior to v0.44.0 [2][4]. Users are advised to update the package to version 0.44.0 or later to resolve the issue [5]. If upgrading is not immediately possible, manual length validation of strings before passing them to NewNTUnicodeString is recommended as a temporary mitigation [4][5].

Citations:


Upgrade golang.org/x/net to v0.55.0+ and golang.org/x/sys to v0.44.0+ to resolve CVE exposures.

All 7 CVEs flagged in the original review are confirmed:

golang.org/x/net v0.53.0 (6 CVEs fixed in v0.55.0):

  • GO-2026-5025, GO-2026-5027: XSS via incorrect HTML parsing (golang.org/x/net/html)
  • GO-2026-5026: IDNA privilege escalation via Punycode mishandling
  • GO-2026-5028: DoS via excessive CPU in HTML parser
  • GO-2026-5029: XSS via DOCTYPE character reference handling
  • GO-2026-5030: Additional golang.org/x/net vulnerability

golang.org/x/sys v0.43.0 (1 CVE fixed in v0.44.0):

  • GO-2026-5024: Integer overflow in windows/NTUnicodeString length validation

Risk Assessment: Practical impact is LOW. Codebase inspection found zero direct usage of golang.org/x/net or golang.org/x/sys APIs; these are transitive dependencies pulled in by k8s.io/client-go and controller-runtime. The vulnerable code paths (HTML sanitization, IDNA validation, Windows NTLM auth) are not exercised by your operator's functionality.

However, per supply chain security guidelines, these indirect dependencies should still be upgraded. Update to:

  • golang.org/x/net v0.55.0 or later
  • golang.org/x/sys v0.44.0 or later

Then run the pre-commit checks: make generate && make manifests && go mod tidy && go mod vendor && hack/align-ocp-version.sh to ensure compatibility and stage any resulting changes.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

(GO-2026-5025)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

(GO-2026-5026)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

(GO-2026-5027)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

(GO-2026-5028)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

(GO-2026-5029)


[LOW] 79-79: golang.org/x/net 0.53.0: Invoking duplicate attributes can cause XSS in golang.org/x/net/html

(GO-2026-5030)


[LOW] 82-82: golang.org/x/sys 0.43.0: Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

(GO-2026-5024)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 78 - 86, Update the golang.org/x/net dependency from
v0.53.0 to v0.55.0 or later and the golang.org/x/sys dependency from v0.43.0 to
v0.44.0 or later in the go.mod file to address the identified CVEs. After making
these version changes, run the pre-commit checks by executing make generate,
make manifests, go mod tidy, go mod vendor, and hack/align-ocp-version.sh to
ensure compatibility and stage any resulting changes.

Bumps the other-go-modules group with 1 update in the / directory: [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo).


Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.28.1...v2.32.0)

Updates `github.com/onsi/gomega` from 1.39.1 to 1.40.0
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.39.1...v1.40.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: other-go-modules
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: other-go-modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the other-go-modules group with 2 updates Bump the other-go-modules group across 1 directory with 2 updates Jul 7, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/other-go-modules-28e804c064 branch from 9d610d8 to 264a56c Compare July 7, 2026 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants