Skip to content

local-static-provisioner/2.8.0-r6: cve remediation #77704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
Open

local-static-provisioner/2.8.0-r6: cve remediation #77704

octo-sts wants to merge 1 commit into from
+2 −1

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 9, 2026

@octo-sts octo-sts bot added automated pr request-cve-remediation go/bump GHSA-4x4m-3c2p-qppc p:local-static-provisioner P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 9, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 9, 2026

📦 Build Failed: Missing Dependency

go: sigs.k8s.io/sig-storage-local-static-provisioner/pkg/util imports k8s.io/kubernetes/pkg/volume/util/fs imports k8s.io/kubernetes/pkg/volume/util/fsquota imports k8s.io/kubernetes/pkg/features imports k8s.io/client-go/features: module k8s.io/client-go@latest found (v1.5.2, replaced by k8s.io/client-go@v0.29.14), but does not contain package k8s.io/client-go/features

Build Details

Category Details
Build System melange/go
Failure Point go/bump step - gobump execution during 'go mod tidy'

Root Cause Analysis 🔍

The k8s.io/client-go module version v0.29.14 (which replaced v1.5.2) does not contain the required package k8s.io/client-go/features that is being imported through the dependency chain. This indicates a version compatibility issue where the Go module dependency resolution is finding an incompatible version of k8s.io/client-go that lacks the expected package structure.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: local-static-provisioner.yaml

  • addition at line 32-35 (pipeline[0] (go/bump step))
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        golang.org/x/crypto@v0.45.0
        k8s.io/kubernetes@v1.31.12

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        golang.org/x/crypto@v0.45.0
        k8s.io/kubernetes@v1.31.12
      replaces: |-
        k8s.io/client-go=k8s.io/client-go@v0.31.12

Content:

Add a replaces directive to pin k8s.io/client-go to version v0.31.12, which should contain the required k8s.io/client-go/features package that is missing in the problematic v0.29.14 version
Click to expand fix analysis

Analysis

The similar fix shows a pattern of resolving Kubernetes module compatibility issues by adding explicit version constraints in the go/bump step. In the fixed example, when k8s.io/apiserver@latest (v0.33.4) was missing required packages, the solution was to add a "replaces" directive that pinned k8s.io/apiserver to an older, compatible version (v0.31.12). This approach downgrades problematic modules to versions that contain the required package structure while maintaining overall compatibility.

Click to expand fix explanation

Explanation

The current build failure occurs because k8s.io/client-go@v0.29.14 (which replaced v1.5.2) doesn't contain the k8s.io/client-go/features package. Following the pattern from the similar fix, we need to explicitly pin k8s.io/client-go to a compatible version. Version v0.31.12 is chosen to align with the existing k8s.io/kubernetes@v1.31.12 dependency, ensuring version consistency across the Kubernetes ecosystem components. The k8s.io/client-go/features package was introduced in newer versions of the client-go library, so using v0.31.12 (which is newer than v0.29.14) should contain the required package while maintaining compatibility with other Kubernetes dependencies.

Click to expand alternative approaches

Alternative Approaches

  • Pin k8s.io/client-go to a different version like v0.30.x if v0.31.12 introduces other incompatibilities
  • Update k8s.io/kubernetes to a version that's compatible with the latest k8s.io/client-go, though this might require more extensive testing
  • Add multiple replace directives for other Kubernetes components if version conflicts emerge with just the client-go fix

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4x4m-3c2p-qppc go/bump p:local-static-provisioner P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant