SANDBOX-1357: update kube & openshift dependencies to 4.19#544
SANDBOX-1357: update kube & openshift dependencies to 4.19#544
Conversation
WalkthroughAdds a dated ignore entry for vulnerability GO-2025-3595 in .govulncheck.yaml and bumps the indirect dependency github.com/openshift/api in go.mod to a newer pseudo-version. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rsoaresd The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
go.mod (1)
178-181: Remove replace directives from go.modThe two
replacelines are still present (go.mod lines 178 and 180) and must be removed before merge:-replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250904111715-ce08642a4499 - -replace github.com/codeready-toolchain/toolchain-common => github.com/rsoaresd/toolchain-common v0.0.0-20250904123823-7c569c802618 +After removal, re-run:
rg -n '^replace\s' go.mod go mod tidy go mod graph | rg 'github.com/codeready-toolchain/(api|toolchain-common)@'to confirm no personal-fork replaces remain and dependencies resolve to upstream.
🧹 Nitpick comments (1)
.govulncheck.yaml (1)
7-7: Add trailing newlineFix YAML lint error: “no new line character at the end of file.”
- silence-until: 2025-09-17 + silence-until: 2025-09-17 +
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (2)
.govulncheck.yaml(1 hunks)go.mod(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.govulncheck.yaml
[error] 7-7: no new line character at the end of file
(new-line-at-end-of-file)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: GolangCI Lint
- GitHub Check: Test with Coverage
- GitHub Check: Build & push operator bundles for e2e tests
🔇 Additional comments (1)
go.mod (1)
152-154: Update OpenShift API branch comment to release-4.19
The inline comment in go.mod (lines 152–154) still references branch release-4.16. Confirm that commit 5b2b8cafdd82 is from release-4.19 and then update the comment to reflect “aligned with OpenShift API release-4.19.”
| ignored-vulnerabilities: | ||
| # Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net | ||
| # Found in Found in: golang.org/x/net/html@v0.33.0 | ||
| # Fixed in Fixed in: golang.org/x/net/html@v0.38.0 | ||
| - id: GO-2025-3595 | ||
| info: https://pkg.go.dev/vuln/GO-2025-3595 | ||
| silence-until: 2025-09-17 No newline at end of file |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Don’t suppress GO-2025-3595 if you can patch; bump x/net to a fixed version
The note says fixed in golang.org/x/net/html@v0.38.0, but go.mod resolves golang.org/x/net v0.34.0 (indirect). Prefer upgrading to ≥0.38.0 and dropping this ignore.
Proposed changes:
- In go.mod force a safe minimum:
- golang.org/x/net v0.34.0 // indirect
+ golang.org/x/net v0.38.0 // indirect- Then remove this ignore entry after
go mod tidypasses, or keep it with a very short silence window until the bump merges.
To verify what version is actually used:
🏁 Script executed:
#!/bin/bash
go mod graph | rg 'golang.org/x/net@'Length of output: 8357
Bump golang.org/x/net to v0.38.0 and remove GO-2025-3595 ignore
go mod graph shows the highest x/net version in use is v0.34.0; v0.38.0 includes the HTML fix for GO-2025-3595. Update go.mod to require ≥v0.38.0, run go mod tidy, then drop this ignore entry.
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 7-7: no new line character at the end of file
(new-line-at-end-of-file)
1 participant
Description
Update dependencies
Related PRs
Issue ticket number and link
SANDBOX-1357
Summary by CodeRabbit