chore: bump vulnerable go dependencies#697
Conversation
adfff05 to
c602523
Compare
c602523 to
0758e65
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #697 +/- ##
=======================================
Coverage 39.94% 39.94%
=======================================
Files 172 172
Lines 24031 24031
=======================================
Hits 9599 9599
Misses 13310 13310
Partials 1122 1122
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
weicao
left a comment
There was a problem hiding this comment.
Focused review for latest head 0758e65df02135b56d2644072f5db284dd5dbf7a: 0 blocker for this module-only Dependabot security update.
What I checked:
- Current-head diff is only
go.mod/go.sum; no production code or runtime script changes. - Target module versions resolve as intended:
golang.org/x/net v0.55.0github.com/go-git/go-git/v5 v5.19.1github.com/go-git/go-billy/v5 v5.9.0oras.land/oras-go/v2 v2.6.2github.com/containerd/containerd v1.7.33go.mongodb.org/mongo-driver v1.17.7
filepath-securejoinresolves asv0.6.1 => v0.5.2; this is deliberate and build-relevant, not an accidental downgrade.go-git/go-billy v5.9.0only importssecurejoin.SecureJoin, whilegithub.com/containers/storage v1.59.1still imports the older Linux APIsOpenInRoot,OpenatInRoot, andReopen. The pinnedv0.5.2module contains all of those APIs.- XP contract classes 1-8: no silent fallback/runtime-state/NotFound/cleanup/operator-precedence risk introduced because the PR does not change execution logic. The only contract boundary is module resolution; the
replaceis explicit and is covered by Linux compile checks.
Direct validation I ran locally:
go mod tidyproduced no diff.go test ./...GOOS=linux go test -exec=true ./...GOOS=linux go test ./pkg/preflight/interactivegit diff --check origin/main...HEAD && git diff --checkgo list -m github.com/go-git/go-git/v5 github.com/go-git/go-billy/v5 github.com/cyphar/filepath-securejoin github.com/containerd/containerd oras.land/oras-go/v2 go.mongodb.org/mongo-driver golang.org/x/netgo mod why -m github.com/cyphar/filepath-securejoin
GitHub latest-head checks are also closed: trigger-mode, size-label, Push Pre-Check, and make-test are SUCCESS; cli-doc and build-kbcli are SKIPPED.
Boundary: I did not verify the GitHub Dependabot UI itself after merge; this review confirms the PR diff, resolved module graph, and local/GitHub build compatibility for the updated dependency set.
Summary
This PR updates the Go dependencies that can be safely bumped within the current kbcli dependency graph to address Dependabot security alerts:
golang.org/x/netv0.54.0 -> v0.55.0github.com/go-git/go-git/v5v5.16.5 -> v5.19.1github.com/go-git/go-billy/v5v5.6.2 -> v5.9.0oras.land/oras-go/v2v2.6.0 -> v2.6.2github.com/containerd/containerdv1.7.32 -> v1.7.33go.mongodb.org/mongo-driverv1.15.1 -> v1.17.7It also adds an explicit module replacement:
replace github.com/cyphar/filepath-securejoin => github.com/cyphar/filepath-securejoin v0.5.2Reason: after bumping
go-git/go-billy, Go module resolution selectsgithub.com/cyphar/filepath-securejoin v0.6.1. The current dependency graph still includesgithub.com/containers/storage v1.59.1, whose Linux files call the olderOpenInRoot/ReopenAPIs. Without this replacement, GitHubmake-testfails during Linux type checking ingolangci-lint run ./....go-billy v5.9.0only needsSecureJoin, which is still available infilepath-securejoin v0.5.2.Expected covered Dependabot alerts:
golang.org/x/net < 0.55.0oras.land/oras-go/v2vulnerable ranges up to2.6.1or< 2.6.1github.com/containerd/containerd < 1.7.33go.mongodb.org/mongo-driver < 1.17.7github.com/go-git/go-git/v5github.com/go-git/go-billy/v5 < 5.9.0Validation
go mod tidygo test ./...GOOS=linux go test ./pkg/preflight/interactiveGOOS=linux go test -exec=true ./...git diff --checkgo list -m all | rg ...to verify the target module versions and thefilepath-securejoinreplacementGitHub latest-head checks are green or expected skipped:
trigger-mode: successsize-label: successPush Pre-Check: successmake-test: successcli-doc/build-kbcli: skippedBoundaries
This PR does not force the following alerts because local validation showed they would break the current kbcli dependency graph, or there is no verifiable patched version available:
helm.sh/helm/v3: upgrading tov3.20.2pulls Kubernetesv0.35.1andstructured-merge-diff/v6. With the repository's currentreplace k8s.io/* => v0.29.14, this causesstructured-merge-diff/v6vsv4type mismatches. Lifting the Kubernetes replacements tov0.35.1then conflicts with the currentcontroller-runtime v0.17.2andtroubleshoot v0.57.0APIs.github.com/docker/cli/github.com/docker/dockermakes ORAS v1 and k3d code conflict with the newer Docker module split intogithub.com/moby/moby/...packages.oras.land/oras-gov1: the Dependabot advisory does not provide afirst_patched_version, and the currently visible v1 latest version is stillv1.2.7. This PR does not claim an unverifiable fix for that alert.Note: #696 was closed and recreated because branch
ava/fix-dependabot-security-20260714failed the kbcli branch-name precheck. This PR uses the allowedhotfix/prefix.