Skip to content

fix(deps): OADP-7565,OADP-7569,OADP-7572: bump Go toolchain to 1.25.8 and update x/* dependencies#12

Merged
weshayutin merged 1 commit intomigtools:oadp-1.4from
kaovilai:oadp-1.4-go1.25.8
Mar 18, 2026
Merged

fix(deps): OADP-7565,OADP-7569,OADP-7572: bump Go toolchain to 1.25.8 and update x/* dependencies#12
weshayutin merged 1 commit intomigtools:oadp-1.4from
kaovilai:oadp-1.4-go1.25.8

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented Mar 17, 2026
edited
Loading

Summary

  • Update Go toolchain from go 1.21 to go 1.25.0 / toolchain go1.25.8 to address multiple CVEs
  • Bump golang.org/x/crypto to v0.49.0 and golang.org/x/net to v0.52.0 for security fixes
  • Bump go.opentelemetry.io/otel/sdk from v1.39.0 to v1.42.0 (fixes GHSA-9h8m-3fm2-qjrq: arbitrary code execution via PATH hijacking)
  • Bump google.golang.org/grpc from v1.57.0 to v1.79.2 (minimum v1.57.1 required) and google.golang.org/api + transitive google cloud dependencies
  • Transitive bumps: x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0, x/sync v0.20.0
  • Fix Go 1.25 vet errors for non-constant format strings (cli/json_output.go, tests/recovery/recovery_test)
  • Fix race condition in internal/epoch/epoch_manager_test.go (use atomic.Bool for loadedDone)
  • Upgrade actions/upload-artifact and actions/download-artifact from v3 to v4 (v3 deprecated)
  • Upgrade actions/setup-go from v4.1.0 to v6.1.0 (v5 and earlier don't read toolchain directive from go.mod, causing compile: version mismatch in coverage tests)
  • Run npm audit fix in app/ to resolve npm audit failures in CI

CVEs Addressed

Go Toolchain (1.25.8)

CVE Component
GO-2026-4337 crypto/tls
GO-2026-4340 crypto/tls
GO-2026-4341 net/url
GO-2026-4342 archive/zip
CVE-2026-25679 net/url (IPv6 host parsing)
CVE-2026-27137 crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE Component Fix Version
GHSA-vvgc-356p-c3xw golang.org/x/net (XSS in HTML tokenizer) v0.38.0+ → v0.52.0
GHSA-j5w8-q4qc-rx2x golang.org/x/crypto (ssh DoS) v0.45.0+ → v0.49.0
GHSA-f6x5-jh6r-wrfv golang.org/x/crypto (ssh/agent panic) v0.45.0+ → v0.49.0

Other Vulnerable Dependencies

CVE Component Change
GHSA-9h8m-3fm2-qjrq go.opentelemetry.io/otel/sdk (PATH hijacking) v1.39.0 → v1.42.0
google.golang.org/grpc (min v1.57.1 required) v1.57.0 → v1.79.2
google.golang.org/api (transitive from grpc) v0.138.0 → v0.272.0

CI/Test Fixes

Component Change
actions/upload-artifact v3 → v4 (v3 deprecated)
actions/download-artifact v3 → v4 (v3 deprecated)
actions/setup-go v4.1.0 → v6.1.0 (reads toolchain directive)
app/package-lock.json npm audit fix
epoch_manager_test.go Fix data race with atomic.Bool (Go 1.25 race detector)

Jira

Test plan

  • go build ./... passes
  • go vet ./... passes
  • Race condition tests pass with -race -count=3
  • CI pipeline passes

Note

Responses generated with Claude

Copilot AI review requested due to automatic review settings March 17, 2026 19:35
@coderabbitai
Copy link

coderabbitai bot commented Mar 17, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c04c913-2178-4004-ab2f-60bb3e080ace

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@oadp-snyk
Copy link

oadp-snyk commented Mar 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Go toolchain and key golang.org/x/* dependencies to incorporate security fixes (CVE remediation) and refresh transitive x/* module versions.

Changes:

  • Bumped the module Go version and pinned a specific Go toolchain version via toolchain.
  • Updated golang.org/x/crypto, golang.org/x/net, and related golang.org/x/* dependencies to newer secure versions.
  • Refreshed go.sum to match the updated module graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
go.mod Updates the Go version/toolchain and bumps several golang.org/x/* direct dependencies.
go.sum Updates sums to reflect the new golang.org/x/* versions.

go.mod
module github.com/kopia/kopia

go 1.21
go 1.25.0
@kaovilai kaovilai changed the title OADP-7565,OADP-7569,OADP-7572: bump Go toolchain to 1.25.8 and update x/* dependencies fix(deps): OADP-7565,OADP-7569,OADP-7572: bump Go toolchain to 1.25.8 and update x/* dependencies Mar 17, 2026
@kaovilai
Copy link
Member Author

kaovilai commented Mar 17, 2026

/hold for grpc

@kaovilai kaovilai force-pushed the oadp-1.4-go1.25.8 branch 2 times, most recently from cb6be3e to 8c9b46c Compare March 17, 2026 20:55
@kaovilai @claude @happy-otter
fix(deps): OADP-7565,OADP-7569,OADP-7572: bump Go toolchain to 1.25.8…
4f06d71 
… and update dependencies

Update Go toolchain to 1.25.8 to address multiple CVEs:
- GO-2026-4337, GO-2026-4340 (crypto/tls)
- GO-2026-4341 (net/url)
- GO-2026-4342 (archive/zip)
- CVE-2026-25679 (net/url IPv6 host parsing)
- CVE-2026-27137 (crypto/x509 email constraints)

Update golang.org/x/* dependencies:
- x/crypto v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
- x/net v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
- x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0, x/sync v0.20.0

Update go.opentelemetry.io/otel/sdk v1.39.0 → v1.42.0
(fixes GHSA-9h8m-3fm2-qjrq: arbitrary code execution via PATH hijacking)

Update google.golang.org/grpc v1.57.0 → v1.79.2 (minimum v1.57.1 required)
Update google.golang.org/api and transitive google cloud dependencies

Fix Go 1.25 vet errors for non-constant format strings in:
- cli/json_output.go: use fmt.Fprint instead of fmt.Fprintf
- tests/recovery/recovery_test: use explicit "%s" format for t.Logf

Upgrade actions/upload-artifact and download-artifact from v3 to v4 (v3 deprecated)

Run npm audit fix in app/ to resolve npm audit failures in CI

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
@kaovilai kaovilai force-pushed the oadp-1.4-go1.25.8 branch from 8c9b46c to 4f06d71 Compare March 17, 2026 21:31
@kaovilai
Copy link
Member Author

kaovilai commented Mar 18, 2026

/unhold

@weshayutin weshayutin merged commit 8cb74dd into migtools:oadp-1.4 Mar 18, 2026
10 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kaovilai @oadp-snyk @weshayutin