Skip to content

OADP-7565: Go 1.25.8 + x/* dependency bumps#330

Open
kaovilai wants to merge 1 commit intomigtools:oadp-devfrom
kaovilai:oadp-dev-cve-fix
Open

OADP-7565: Go 1.25.8 + x/* dependency bumps#330
kaovilai wants to merge 1 commit intomigtools:oadp-devfrom
kaovilai:oadp-dev-cve-fix

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented Mar 17, 2026
edited by coderabbitai bot
Loading

Summary

  • Pin Go toolchain to 1.25.8 (was unpinned at 1.25.0)
  • Bump golang.org/x/* dependencies to latest (x/net v0.52.0, x/sync v0.20.0, x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0)
  • Update Dockerfile to golang:1.25.8

CVEs Addressed

Go Toolchain (1.25.8)

CVE Component
GO-2026-4337 crypto/tls
GO-2026-4340 crypto/tls
GO-2026-4341 net/url
GO-2026-4342 archive/zip
CVE-2026-25679 net/url (IPv6 host parsing)
CVE-2026-27137 crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE Component Fix Version
GHSA-vvgc-356p-c3xw golang.org/x/net (XSS in HTML tokenizer) v0.38.0+ (pulled in v0.52.0)

Jira

Test plan

  • go build ./... passes locally
  • CI passes

Note

Responses generated with Claude

Summary by CodeRabbit

  • Chores
    • Updated Go toolchain to version 1.25.8
    • Updated Go module dependencies to latest versions for improved stability and security

@kaovilai @claude @happy-otter
OADP-7565: Go 1.25.8 + x/* dependency bumps
a3901a9 
Pin Go toolchain to 1.25.8 to address:
- GO-2026-4337, GO-2026-4340: crypto/tls
- GO-2026-4341: net/url
- GO-2026-4342: archive/zip
- CVE-2026-25679: net/url IPv6 host parsing
- CVE-2026-27137: crypto/x509 email constraints

Bump golang.org/x/* dependencies:
- x/net v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
- x/sync v0.20.0, x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0

Update Dockerfile to golang:1.25.8.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Copilot AI review requested due to automatic review settings March 17, 2026 19:41
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Mar 17, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Pin Go toolchain to 1.25.8 (was unpinned at 1.25.0)
  • Bump golang.org/x/* dependencies to latest (x/net v0.52.0, x/sync v0.20.0, x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0)
  • Update Dockerfile to golang:1.25.8

CVEs Addressed

Go Toolchain (1.25.8)

CVE Component
GO-2026-4337 crypto/tls
GO-2026-4340 crypto/tls
GO-2026-4341 net/url
GO-2026-4342 archive/zip
CVE-2026-25679 net/url (IPv6 host parsing)
CVE-2026-27137 crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE Component Fix Version
GHSA-vvgc-356p-c3xw golang.org/x/net (XSS in HTML tokenizer) v0.38.0+ (pulled in v0.52.0)

Jira

Test plan

  • go build ./... passes locally
  • CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mpryc and mrnold March 17, 2026 19:41
@coderabbitai
Copy link

coderabbitai bot commented Mar 17, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f8ad434-e007-423a-bdf2-ca6335388287

📥 Commits

Reviewing files that changed from the base of the PR and between 142aac7 and a3901a9.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • Dockerfile
  • go.mod
📝 Walkthrough

Walkthrough

Updated Go language runtime version from 1.25 to 1.25.8 in both the Dockerfile and go.mod. Additionally, updated several Go module dependencies including golang.org/x/sync and indirect dependencies for golang.org/x packages (net, sys, term, text, tools).

Changes

Cohort / File(s) Summary
Go Version and Dependencies
Dockerfile, go.mod		 Updated Go base image from 1.25 to 1.25.8 in Dockerfile. Added toolchain directive and bumped golang.org/x/sync to v0.20.0; updated multiple indirect golang.org/x dependencies (net, sys, term, text, tools) to their latest patch versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A version bump hops along with glee,
Go 1.25.8, now for all to see!
Dependencies dance in sync and stride,
golang.org/x packages updated with pride,
One small change, one mighty leap! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The description includes a detailed Summary section and CVE information, but lacks the template's required sections: 'Why the changes were made' and 'How to test the changes made'. Restructure the description to explicitly include 'Why the changes were made' and 'How to test the changes made' sections as specified in the repository template.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main changes: pinning Go to 1.25.8 and bumping x/* dependencies, which aligns directly with the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@oadp-snyk
Copy link

oadp-snyk commented Mar 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Mar 17, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Pin Go toolchain to 1.25.8 (was unpinned at 1.25.0)
  • Bump golang.org/x/* dependencies to latest (x/net v0.52.0, x/sync v0.20.0, x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0)
  • Update Dockerfile to golang:1.25.8

CVEs Addressed

Go Toolchain (1.25.8)

CVE Component
GO-2026-4337 crypto/tls
GO-2026-4340 crypto/tls
GO-2026-4341 net/url
GO-2026-4342 archive/zip
CVE-2026-25679 net/url (IPv6 host parsing)
CVE-2026-27137 crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE Component Fix Version
GHSA-vvgc-356p-c3xw golang.org/x/net (XSS in HTML tokenizer) v0.38.0+ (pulled in v0.52.0)

Jira

Test plan

  • go build ./... passes locally
  • CI passes

[!Note]
Responses generated with Claude

Summary by CodeRabbit

  • Chores
  • Updated Go toolchain to version 1.25.8
  • Updated Go module dependencies to latest versions for improved stability and security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go toolchain and Go module dependencies to incorporate security fixes and stay current with golang.org/x/* releases.

Changes:

  • Pin the Go toolchain to go1.25.8 via toolchain directive in go.mod.
  • Bump golang.org/x/* dependencies (notably x/net, x/sync, x/sys, x/text, x/term, x/tools) and refresh go.sum.
  • Update the builder image in Dockerfile to golang:1.25.8.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
go.mod Pins toolchain to go1.25.8 and updates golang.org/x/* requirements.
go.sum Updates module checksums to reflect the bumped golang.org/x/* versions.
Dockerfile Uses golang:1.25.8 for the build stage to match the intended toolchain.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mpryc
Copy link
Collaborator

mpryc commented Mar 18, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 18, 2026
@openshift-ci
Copy link

openshift-ci bot commented Mar 18, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, mpryc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mpryc mpryc mpryc approved these changes

@mrnold mrnold Awaiting requested review from mrnold

At least 2 approving reviews are required to merge this pull request.

Assignees

@mpryc mpryc

Labels

approved jira/valid-reference lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kaovilai @openshift-ci-robot @oadp-snyk @mpryc