Skip to content

chore(deps): patch Dependabot security alerts without breaking build#6983

Open
prkhrkat wants to merge 1 commit into
mainfrom
dependabot-fixes
Open

chore(deps): patch Dependabot security alerts without breaking build#6983
prkhrkat wants to merge 1 commit into
mainfrom
dependabot-fixes

Conversation

@prkhrkat

@prkhrkat prkhrkat commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Patches Dependabot security alerts by bumping vulnerable dependencies to their fixed versions and re-vendoring. Resolves 26 of 30 open alerts. Every change was verified against make build — the binary compiles and wire codegen is unchanged.

Updated dependencies (build passes)

Package From → To Alerts fixed
golang.org/x/crypto 0.46.0 → 0.52.0 7 (incl. 6 critical)
github.com/go-git/go-git/v5 5.13.2 → 5.19.1 7
oras.land/oras-go/v2 2.6.0 → 2.6.1 3
github.com/go-git/go-billy/v5 5.6.2 → 5.9.0 2
golang.org/x/net 0.48.0 → 0.55.0 1
github.com/aws/aws-sdk-go-v2/service/s3 1.79.4 → 1.97.3 1
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream 1.6.10 → 1.7.8 1
github.com/cloudflare/circl 1.6.1 → 1.6.3 1
k8s.io/kubernetes (+ all k8s.io/* staging) 1.33.4 → 1.33.6 (0.33.3 → 0.33.6) 1

Intentionally NOT updated

  • helm.sh/helm/v3 (medium): the only fix (3.20.2) force-upgrades the entire k8s stack to v0.35.x, which is incompatible with the pinned argo-cd/v2 v2.14.20 and k8s.io/kubernetes 1.33 — it breaks the build. No backported patch exists on the 3.18/3.19 line. Needs a coordinated argo-cd + k8s upgrade.
  • github.com/argoproj/argo-cd/v2 (high) — no patched version published upstream.
  • github.com/go-pg/pg (medium) — no patched version published upstream.

Verification

  • make build → succeeds, produces the devtron binary; wire regenerated wire_gen.go identically (no diff).
  • go build ./... → only the pre-existing broken mocks / mock_pipeline packages fail, identical to the baseline before these changes and not part of the make binary.
  • Changes confined to go.mod, go.sum, and vendor/.

🤖 Generated with Claude Code

Summary by Bito

  • Updated go-git and go-billy dependencies to versions 5.19.1 and 5.9.0 respectively.
  • Bumped golang.org/x/crypto, x/exp, and x/mod packages to newer versions.
  • Updated Kubernetes-related dependencies (k8s.io/api, apimachinery, client-go, kubectl, kubernetes, metrics) to version 0.33.6.

Resolve 26 of 30 open Dependabot alerts by bumping to patched versions
and re-vendoring. All updates verified with make build (binary compiles,
wire codegen unchanged).

Updated:
- golang.org/x/crypto 0.46.0 -> 0.52.0 (7 alerts, incl. critical)
- github.com/go-git/go-git/v5 5.13.2 -> 5.19.1 (7 alerts)
- oras.land/oras-go/v2 2.6.0 -> 2.6.1 (3 alerts)
- github.com/go-git/go-billy/v5 5.6.2 -> 5.9.0
- golang.org/x/net 0.48.0 -> 0.55.0
- github.com/aws/aws-sdk-go-v2/service/s3 1.79.4 -> 1.97.3
- github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream 1.6.10 -> 1.7.8
- github.com/cloudflare/circl 1.6.1 -> 1.6.3
- k8s.io/kubernetes 1.33.4 -> 1.33.6 (aligned all k8s.io/* staging to 0.33.6)

Intentionally skipped (would break build or no upstream fix):
- helm.sh/helm/v3: fix (3.20.2) force-upgrades k8s stack to 0.35.x,
  incompatible with pinned argo-cd v2.14.20 / k8s 1.33
- github.com/argoproj/argo-cd/v2: no patched version available
- github.com/go-pg/pg: no patched version available

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Some linked issues are invalid. Please update the issue links:\nIssue # in is not found or invalid (HTTP }404).\n

@github-actions

Copy link
Copy Markdown

Some linked issues are invalid. Please update the issue links:\nIssue # in is not found or invalid (HTTP }404).\n

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant