Skip to content

OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#159

Closed
kaovilai wants to merge 1 commit intooadp-devfrom
cve-fix-oadp-dev
Closed

OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#159
kaovilai wants to merge 1 commit intooadp-devfrom
cve-fix-oadp-dev

Conversation

@kaovilai
Copy link
Copy Markdown
Member

@kaovilai kaovilai commented Mar 17, 2026

Summary

  • Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
    • GO-2026-4337, GO-2026-4340 (crypto/tls)
    • GO-2026-4341 (net/url)
    • GO-2026-4342 (archive/zip)
    • CVE-2026-25679 (net/url IPv6 host parsing)
    • CVE-2026-27137 (crypto/x509 email constraints)
  • Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
  • Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0

Note

golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Test plan

  • go build ./... passes
  • CI passes

Note

Responses generated with Claude

@kaovilai @claude @happy-otter
OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps
7b05362 
- Add toolchain go1.25.8 (fixes GO-2026-4337, GO-2026-4340,
  GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
- golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
- golang.org/x/sys v0.35.0 → v0.42.0
- golang.org/x/text v0.23.0 → v0.35.0
- golang.org/x/term v0.30.0 → v0.41.0
- golang.org/x/mod v0.22.0 → v0.33.0

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Copilot AI review requested due to automatic review settings March 17, 2026 20:06
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 17, 2026

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
  • GO-2026-4337, GO-2026-4340 (crypto/tls)
  • GO-2026-4341 (net/url)
  • GO-2026-4342 (archive/zip)
  • CVE-2026-25679 (net/url IPv6 host parsing)
  • CVE-2026-27137 (crypto/x509 email constraints)
  • Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
  • Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0

[!Note]
golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Test plan

  • go build ./... passes
  • CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mpryc and sseago March 17, 2026 20:06
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the module’s Go toolchain configuration and refreshes several golang.org/x/* indirect dependencies to newer versions.

Changes:

  • Add a toolchain go1.25.8 directive to go.mod.
  • Bump indirect golang.org/x/mod, x/net, x/sys, x/term, x/text versions in go.mod.
  • Update go.sum checksums to match the upgraded dependencies.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
go.mod Pins the Go toolchain and updates indirect golang.org/x/* dependency versions.
go.sum Updates dependency checksums to align with the module version bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod
Comment on lines 3 to +5
go 1.25.0

toolchain go1.25.8
go.mod
Comment on lines +5 to +6
toolchain go1.25.8

@mpryc
Copy link
Copy Markdown
Contributor

mpryc commented Mar 18, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 18, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 23, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, mpryc, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [kaovilai,mpryc,weshayutin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kaovilai kaovilai closed this Mar 24, 2026
@kaovilai kaovilai mentioned this pull request Mar 24, 2026
Closed
2 tasks
@kaovilai
Copy link
Copy Markdown
Member Author

kaovilai commented Mar 24, 2026

Closed in favor of #164. Branches were pushed directly to migtools/oadp-cli instead of a fork, which caused branch protection rules to block subsequent pushes (workflow file updates). Recreated from a new branch. Will use fork origin (kaovilai/oadp-cli) for future PRs.

Note

Responses generated with Claude

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@weshayutin weshayutin weshayutin approved these changes

@mpryc mpryc mpryc approved these changes

@sseago sseago Awaiting requested review from sseago

Assignees

@mpryc mpryc

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kaovilai @openshift-ci-robot @mpryc @weshayutin