fix(deps): update Go dependencies and resolve security vulnerabilities#541
fix(deps): update Go dependencies and resolve security vulnerabilities#541jnpacker wants to merge 4 commits into
Conversation
- Updated Go version from 1.25.0 to 1.26 - Upgraded OpenTelemetry exporters to fix CVE-2026-4985: * go.opentelemetry.io/otel from v1.42.0 to v1.44.0 * go.opentelemetry.io/otel/sdk from v1.42.0 to v1.44.0 * go.opentelemetry.io/otel/trace from v1.42.0 to v1.44.0 * go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from v0.15.0 to v0.20.0 * go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from v1.39.0 to v1.44.0 * go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.39.0 to v1.44.0 * go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from v1.39.0 to v1.44.0 - Updated other dependencies for compatibility: * golang.org/x/oauth2 from v0.34.0 to v0.36.0 * google.golang.org/grpc from v1.80.0 to v1.81.1 * github.com/grpc-ecosystem/grpc-gateway/v2 from v2.27.3 to v2.29.0 * go.opentelemetry.io/proto/otlp from v1.9.0 to v1.10.0 ## CVEs Resolved - GO-2026-4985 (Oversized OTLP HTTP response bodies) - RESOLVED ## CVEs Requiring Go 1.26.4+ The following CVEs are in the Go standard library and require Go 1.26.4+ to be installed: - GO-2026-5039 (net/textproto) - GO-2026-5038 (mime) - GO-2026-5037 (crypto/x509) ## Verification - Build successful: go build ./cmd/maestro/... completed without errors - All dependencies verified: go mod verify passed Signed-off-by: swarm-cve-agent <20729652+jnpacker@users.noreply.github.com>
|
Warning Review limit reached
More reviews will be available in 23 minutes and 7 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (4)
WalkthroughGo directive bumped to 1.25.11, CI GO_VERSION updated to 1.25, multiple direct and indirect dependency versions updated (OpenTelemetry, oauth2, gRPC, grpc-gateway, OTLP/proto packages), and Helm CRD template now enables the versions[].subresources.status block. ChangesDependency and CI updates
CRD template
🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- go.mod: set go 1.25.11 (fixes GO-2026-5037/5038/5039 on the 1.25 line; the original 1.26 bump was incorrect — all three CVEs are patched in 1.25.11, and 1.26.0 remains vulnerable until 1.26.4) - .github/workflows/e2e.yml: update GO_VERSION from 1.24 to 1.25 to match go.mod - charts/maestro-agent/templates/crd.yaml: remove .spec.status block (acceptedNames/conditions/storedVersions) rejected by Kubernetes 1.35 server-side apply as undeclared schema fields Signed-off-by: Joshua Packer <jpacker@redhat.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/e2e.yml:
- Line 10: Update the CI workflow environment variable GO_VERSION in the e2e
GitHub Actions file from '1.25' to the exact patch version '1.25.11' so it
matches go.mod; locate the GO_VERSION entry in .github/workflows/e2e.yml and set
it to '1.25.11' to pin the CI Go patch release deterministically.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 140fe161-7350-4e73-a67e-86d236394af3
📒 Files selected for processing (3)
.github/workflows/e2e.ymlcharts/maestro-agent/templates/crd.yamlgo.mod
💤 Files with no reviewable changes (1)
- charts/maestro-agent/templates/crd.yaml
Signed-off-by: Joshua Packer <jpacker@redhat.com>
golang:1.25 docker image ships 1.25.8 which is older than the go 1.25.11 minimum required by go.mod, causing builds to fail. Signed-off-by: Joshua Packer <jpacker@redhat.com>
1 participant
Security audit summary
CVEs resolved
Modules updated
Outstanding CVEs
The following CVEs are in the Go standard library and require Go 1.26.4+ to be fully resolved:
The go.mod has been updated to require Go 1.26+. When Go 1.26.4 is available in the build environment, these standard library vulnerabilities will be automatically resolved.
Verification