Skip to content

OADP-7565: Go 1.25.8 + x/* dep bumps for CVE fixes#39

Open
kaovilai wants to merge 2 commits intomigtools:oadp-1.6from
kaovilai:oadp-1.6
Open

OADP-7565: Go 1.25.8 + x/* dep bumps for CVE fixes#39
kaovilai wants to merge 2 commits intomigtools:oadp-1.6from
kaovilai:oadp-1.6

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented Mar 17, 2026
edited
Loading

Summary

  • Add toolchain go1.25.8 directive (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
  • Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
  • Bump golang.org/x/crypto to v0.49.0 transitively (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
  • Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
  • Dockerfile updated to golang:1.25.8
  • Upgrade actions/setup-go from v5 to v6 (v6 reads the toolchain directive from go.mod)

Test plan

  • go build ./... passes
  • CI passes

Note

Responses generated with Claude

🤖 Generated with Claude Code

@kaovilai @claude @happy-otter
fix: update Go toolchain to 1.25.8 and bump golang.org/x/* deps for C…
41442b6 
…VE fixes

Addresses multiple CVEs:
- GO-2026-4337, GO-2026-4340 (crypto/tls)
- GO-2026-4341 (net/url), GO-2026-4342 (archive/zip)
- CVE-2026-25679 (net/url IPv6 host parsing)
- CVE-2026-27137 (crypto/x509 email constraints)
- GHSA-vvgc-356p-c3xw (golang.org/x/net XSS in HTML tokenizer)
- GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv (golang.org/x/crypto ssh)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Copilot AI review requested due to automatic review settings March 17, 2026 20:07
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 17, 2026

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Add toolchain go1.25.8 directive (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
  • Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
  • Bump golang.org/x/crypto to v0.49.0 transitively (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
  • Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
  • Dockerfile updated to golang:1.25.8

Test plan

  • go build ./... passes
  • CI passes

[!Note]
Responses generated with Claude

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mpryc and sseago March 17, 2026 20:07
@openshift-ci
Copy link

openshift-ci bot commented Mar 17, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai
Copy link

coderabbitai bot commented Mar 17, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db12852f-9e1a-42c1-8778-bd0a63d94ded

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the project’s Go toolchain and selected golang.org/x/* dependencies to pick up security fixes, and aligns the build container image with the patched Go version.

Changes:

  • Add toolchain go1.25.8 to go.mod and bump golang.org/x/* module versions.
  • Refresh go.sum to match the updated module graph.
  • Update the builder image in Dockerfile to golang:1.25.8.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
go.mod Adds Go toolchain directive and bumps golang.org/x/* versions.
go.sum Updates dependency checksums for the bumped x/* modules.
Dockerfile Uses golang:1.25.8 for the build stage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod
Comment on lines +101 to +106
golang.org/x/mod v0.33.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/oauth2 v0.33.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/term v0.41.0 // indirect
golang.org/x/text v0.35.0 // indirect
go.mod
@@ -2,6 +2,8 @@ module github.com/migtools/kubevirt-datamover-controller

go 1.25.7
mpryc
mpryc reviewed Mar 18, 2026
View reviewed changes
@kaovilai @claude @happy-otter
fix: upgrade actions/setup-go to v6 for toolchain directive support
8a9a752 
setup-go v6 reads the toolchain directive from go.mod when present,
falling back to the go directive otherwise. This replaces the
hardcoded go-version and correctly picks up go1.25.8 from the
toolchain directive.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 18, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Add toolchain go1.25.8 directive (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
  • Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
  • Bump golang.org/x/crypto to v0.49.0 transitively (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
  • Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
  • Dockerfile updated to golang:1.25.8
  • Upgrade actions/setup-go from v5 to v6 (v6 reads the toolchain directive from go.mod)

Test plan

  • go build ./... passes
  • CI passes

[!Note]
Responses generated with Claude

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kaovilai kaovilai requested a review from mpryc March 18, 2026 15:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sseago sseago Awaiting requested review from sseago

@mpryc mpryc Awaiting requested review from mpryc

At least 2 approving reviews are required to merge this pull request.

Assignees

@kaovilai kaovilai

Labels

approved kubevirt-dm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kaovilai @openshift-ci-robot @mpryc