Skip to content

chore: bump vulnerable go dependencies#697

Merged
ldming merged 1 commit into
mainfrom
hotfix/fix-dependabot-security-20260714
Jul 14, 2026
Merged

chore: bump vulnerable go dependencies#697
ldming merged 1 commit into
mainfrom
hotfix/fix-dependabot-security-20260714

Conversation

@weicao

@weicao weicao commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates the Go dependencies that can be safely bumped within the current kbcli dependency graph to address Dependabot security alerts:

  • golang.org/x/net v0.54.0 -> v0.55.0
  • github.com/go-git/go-git/v5 v5.16.5 -> v5.19.1
  • github.com/go-git/go-billy/v5 v5.6.2 -> v5.9.0
  • oras.land/oras-go/v2 v2.6.0 -> v2.6.2
  • github.com/containerd/containerd v1.7.32 -> v1.7.33
  • go.mongodb.org/mongo-driver v1.15.1 -> v1.17.7

It also adds an explicit module replacement:

  • replace github.com/cyphar/filepath-securejoin => github.com/cyphar/filepath-securejoin v0.5.2

Reason: after bumping go-git / go-billy, Go module resolution selects github.com/cyphar/filepath-securejoin v0.6.1. The current dependency graph still includes github.com/containers/storage v1.59.1, whose Linux files call the older OpenInRoot / Reopen APIs. Without this replacement, GitHub make-test fails during Linux type checking in golangci-lint run ./.... go-billy v5.9.0 only needs SecureJoin, which is still available in filepath-securejoin v0.5.2.

Expected covered Dependabot alerts:

Validation

  • go mod tidy
  • go test ./...
  • GOOS=linux go test ./pkg/preflight/interactive
  • GOOS=linux go test -exec=true ./...
  • git diff --check
  • go list -m all | rg ... to verify the target module versions and the filepath-securejoin replacement

GitHub latest-head checks are green or expected skipped:

  • trigger-mode: success
  • size-label: success
  • Push Pre-Check: success
  • make-test: success
  • cli-doc / build-kbcli: skipped

Boundaries

This PR does not force the following alerts because local validation showed they would break the current kbcli dependency graph, or there is no verifiable patched version available:

Note: #696 was closed and recreated because branch ava/fix-dependabot-security-20260714 failed the kbcli branch-name precheck. This PR uses the allowed hotfix/ prefix.

@github-actions github-actions Bot added the size/M Denotes a PR that changes 30-99 lines. label Jul 14, 2026
@weicao
weicao force-pushed the hotfix/fix-dependabot-security-20260714 branch from adfff05 to c602523 Compare July 14, 2026 10:25
@weicao
weicao force-pushed the hotfix/fix-dependabot-security-20260714 branch from c602523 to 0758e65 Compare July 14, 2026 10:53
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 39.94%. Comparing base (40171fe) to head (0758e65).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #697   +/-   ##
=======================================
  Coverage   39.94%   39.94%           
=======================================
  Files         172      172           
  Lines       24031    24031           
=======================================
  Hits         9599     9599           
  Misses      13310    13310           
  Partials     1122     1122           
Flag Coverage Δ
unittests 39.94% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@weicao
weicao marked this pull request as ready for review July 14, 2026 11:11

@weicao weicao left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Focused review for latest head 0758e65df02135b56d2644072f5db284dd5dbf7a: 0 blocker for this module-only Dependabot security update.

What I checked:

  • Current-head diff is only go.mod / go.sum; no production code or runtime script changes.
  • Target module versions resolve as intended:
    • golang.org/x/net v0.55.0
    • github.com/go-git/go-git/v5 v5.19.1
    • github.com/go-git/go-billy/v5 v5.9.0
    • oras.land/oras-go/v2 v2.6.2
    • github.com/containerd/containerd v1.7.33
    • go.mongodb.org/mongo-driver v1.17.7
  • filepath-securejoin resolves as v0.6.1 => v0.5.2; this is deliberate and build-relevant, not an accidental downgrade. go-git/go-billy v5.9.0 only imports securejoin.SecureJoin, while github.com/containers/storage v1.59.1 still imports the older Linux APIs OpenInRoot, OpenatInRoot, and Reopen. The pinned v0.5.2 module contains all of those APIs.
  • XP contract classes 1-8: no silent fallback/runtime-state/NotFound/cleanup/operator-precedence risk introduced because the PR does not change execution logic. The only contract boundary is module resolution; the replace is explicit and is covered by Linux compile checks.

Direct validation I ran locally:

  • go mod tidy produced no diff.
  • go test ./...
  • GOOS=linux go test -exec=true ./...
  • GOOS=linux go test ./pkg/preflight/interactive
  • git diff --check origin/main...HEAD && git diff --check
  • go list -m github.com/go-git/go-git/v5 github.com/go-git/go-billy/v5 github.com/cyphar/filepath-securejoin github.com/containerd/containerd oras.land/oras-go/v2 go.mongodb.org/mongo-driver golang.org/x/net
  • go mod why -m github.com/cyphar/filepath-securejoin

GitHub latest-head checks are also closed: trigger-mode, size-label, Push Pre-Check, and make-test are SUCCESS; cli-doc and build-kbcli are SKIPPED.

Boundary: I did not verify the GitHub Dependabot UI itself after merge; this review confirms the PR diff, resolved module graph, and local/GitHub build compatibility for the updated dependency set.

@ldming ldming changed the title fix: bump vulnerable go dependencies chore: bump vulnerable go dependencies Jul 14, 2026
@ldming
ldming merged commit 4cf8e9c into main Jul 14, 2026
19 of 20 checks passed
@ldming
ldming deleted the hotfix/fix-dependabot-security-20260714 branch July 14, 2026 13:03
@github-actions github-actions Bot added this to the Release 1.0 milestone Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/M Denotes a PR that changes 30-99 lines.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants