Bump github.com/onsi/gomega from 1.36.2 to 1.42.1#86
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift-online/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Walkthrough
ChangesGo toolchain and dependency updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 73: The golang.org/x/oauth2 dependency at version v0.23.0 contains a
HIGH-severity CVE-2025-22868 vulnerability related to improper token validation.
Update the golang.org/x/oauth2 dependency entry in go.mod from v0.23.0 to
v0.27.0 or later (v0.36.0 is the latest as of June 2026). Since oauth2 is a
transitive dependency, you can either directly update the version in the go.mod
file or bump the OCM SDK version if it brings in a patched version of oauth2.
- Line 73: There is a confirmed CVE vulnerability (GO-2025-3488 /
CVE-2025-22868) in golang.org/x/oauth2 v0.23.0 that is pulled transitively via
ocm-sdk-go v0.1.456. The vulnerability has a CVSS score of 7.5 (High severity)
and involves improper token validation leading to potential denial-of-service.
Add a replace directive in go.mod that targets golang.org/x/oauth2 and forces it
to use the patched version v0.27.0, which will override the transitive
dependency chain from ocm-sdk-go and mitigate the vulnerability until the OCM
SDK itself is updated.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 92abf44b-d762-4a2d-9ef8-271c3e657a3d
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| golang.org/x/net v0.33.0 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/net v0.56.0 // indirect | ||
| golang.org/x/oauth2 v0.23.0 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if oauth2 is directly or transitively used in the codebase
rg -nP '\boauth2\b' --type go -g '!go.mod' | head -20Repository: openshift-online/rosa-e2e
Length of output: 163
🌐 Web query:
What are the latest security patches available for golang.org/x/oauth2 and which versions address CVE GO-2025-3488 and GHSA-6v2p-p543-phr9?
💡 Result:
The vulnerability affecting golang.org/x/oauth2 is identified as GO-2025-3488 [1][2], which is also tracked as CVE-2025-22868 and GHSA-6v2p-p543-phr9 [3][4][5]. This issue involves improper validation of input during token parsing, allowing an attacker to pass a maliciously malformed token that causes unexpected memory consumption [1][5]. This vulnerability was addressed in golang.org/x/oauth2 version 0.27.0 [1][5]. To remediate the issue, users should update the package to version 0.27.0 or any later release [1][6]. As of June 2026, the latest available version is v0.36.0, which includes this fix [6][7].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2025-3488
- 2: https://osv.dev/GO-2025-3488
- 3: GHSA-6v2p-p543-phr9
- 4: https://nvd.nist.gov/vuln/detail/cve-2025-22868
- 5: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
- 6: https://pkg.go.dev/golang.org/x/oauth2
- 7: https://socket.dev/go/package/golang.org/x/oauth2?version=v0.36.0
🌐 Web query:
Does golang.org/x/oauth2 v0.24.0 or later exist as a patch for these vulnerabilities?
💡 Result:
No, golang.org/x/oauth2 version v0.24.0 does not serve as a patch for the known security vulnerability affecting this package [1][2]. The vulnerability in question is CVE-2025-22868 (also tracked as GO-2025-3488), which involves unexpected memory consumption during token parsing in the golang.org/x/oauth2/jws package [1][3][2]. This vulnerability affects all versions of the package prior to v0.27.0 [1][3][4]. Version v0.24.0 was released on October 31, 2024 [5][6], whereas the patch for this vulnerability (v0.27.0) was released on February 24, 2025 [2]. To mitigate this vulnerability, you must update your dependency to at least v0.27.0 [1][3].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2025-3488
- 2: https://groups.google.com/g/golang-announce/c/wImnF7NFhJE
- 3: https://osv.dev/GO-2025-3488
- 4: https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02djJwLXA1NDMtcGhyOc4ABKRz
- 5: https://go.googlesource.com/oauth2/+/refs/tags/v0.24.0
- 6: https://go.googlesource.com/oauth2/+/refs/tags/v0.24.0%5E%21/
Update golang.org/x/oauth2 to v0.27.0 or later to address HIGH-severity CVE.
Static analysis detected CVE-2025-22868 (GO-2025-3488 / GHSA-6v2p-p543-phr9) in golang.org/x/oauth2 v0.23.0: improper validation during token parsing allows maliciously malformed tokens to cause unexpected memory consumption.
The fix is available in golang.org/x/oauth2 v0.27.0 (released February 24, 2025) and later versions (latest: v0.36.0 as of June 2026). Although oauth2 is only used as a transitive dependency in this codebase, update the dependency chain—either by bumping OCM SDK or by directly pinning v0.27.0+ in go.mod—to incorporate the patch.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[HIGH] 73-73: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2
(GO-2025-3488)
[HIGH] 73-73: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 73, The golang.org/x/oauth2 dependency at version v0.23.0
contains a HIGH-severity CVE-2025-22868 vulnerability related to improper token
validation. Update the golang.org/x/oauth2 dependency entry in go.mod from
v0.23.0 to v0.27.0 or later (v0.36.0 is the latest as of June 2026). Since
oauth2 is a transitive dependency, you can either directly update the version in
the go.mod file or bump the OCM SDK version if it brings in a patched version of
oauth2.
Source: Linters/SAST tools
🔒 Security & Privacy | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if oauth2 is directly referenced in the codebase (not just go.mod)
rg -nP '\boauth2\b' --type go -g '!{go.mod,go.sum}' | head -20Repository: openshift-online/rosa-e2e
Length of output: 163
🌐 Web query:
Are there patched versions of golang.org/x/oauth2 (v0.24.0 or later) that fix GO-2025-3488 and GHSA-6v2p-p543-phr9?
💡 Result:
Yes, there are patched versions of golang.org/x/oauth2 that address these vulnerabilities. Both GO-2025-3488 and GHSA-6v2p-p543-phr9 refer to the same vulnerability, CVE-2025-22868, which involves improper validation of input in the package that can lead to excessive memory consumption and a denial-of-service (DoS) condition [1][2][3]. This vulnerability was fixed in golang.org/x/oauth2 version 0.27.0 [1][4][5]. If you are using version 0.24.0 or any other version prior to 0.27.0, you should upgrade to version 0.27.0 or a later release to remediate this issue [1][5].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2025-3488
- 2: GHSA-6v2p-p543-phr9
- 3: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
- 4: https://osv.dev/GO-2025-3488
- 5: https://intel.aikido.dev/cve/AIKIDO-2025-10169
🌐 Web query:
What is the current status and CVSS score for CVE GO-2025-3488 and GHSA-6v2p-p543-phr9 in golang.org/x/oauth2?
💡 Result:
The vulnerability identified as GO-2025-3488 and GHSA-6v2p-p543-phr9 refers to the same security issue in the golang.org/x/oauth2 package, specifically within the golang.org/x/oauth2/jws sub-package [1][2][3]. This vulnerability is assigned the CVE identifier CVE-2025-22868 [1][4][5]. Status and Details: - Current Status: Fixed. The vulnerability was addressed in version 0.27.0 of golang.org/x/oauth2 [1][4]. - Vulnerability Type: The issue involves unexpected memory consumption during token parsing, which can lead to a denial of service [1][4][3]. It is categorized as improper validation of syntactic correctness of input (CWE-1286) [3] and allocation of resources without limits or throttling [5]. - CVSS Score: The vulnerability has a CVSS v3 base score of 7.5 (High) [3][6]. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [3].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2025-3488
- 2: https://osv.dev/GO-2025-3488
- 3: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
- 4: https://groups.google.com/g/golang-announce/c/wImnF7NFhJE
- 5: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594
- 6: https://images.chainguard.dev/security/CGA-7cmq-pr89-2h5m
🏁 Script executed:
# Check the go.mod file to understand the dependency structure
head -100 go.modRepository: openshift-online/rosa-e2e
Length of output: 4246
🏁 Script executed:
# Search for OCM SDK and other key dependencies to understand the dependency chain
grep -E 'github.com/openshift-online/ocm-sdk-go|golang.org/x/oauth2' go.modRepository: openshift-online/rosa-e2e
Length of output: 253
🏁 Script executed:
# Check if there are any direct oauth2 imports in the actual code
find . -name '*.go' -path '*/test/*' -o -path '*/pkg/*' | head -1 | xargs grep -l "oauth2" 2>/dev/null | head -5Repository: openshift-online/rosa-e2e
Length of output: 163
🏁 Script executed:
# Check if there's a newer version of OCM SDK available and what oauth2 version it uses
# First, let's see if we can find information about OCM SDK dependency chains
rg 'ocm-sdk-go' go.mod -A 2Repository: openshift-online/rosa-e2e
Length of output: 257
🌐 Web query:
What version of github.com/openshift-online/ocm-sdk-go includes golang.org/x/oauth2 v0.27.0 or later (the patched version)?
💡 Result:
As of June 24, 2026, the github.com/openshift-online/ocm-sdk-go library does not include golang.org/x/oauth2 version v0.27.0 or later as a direct dependency. Official module data indicates that current versions of the SDK, including recent releases, continue to pin golang.org/x/oauth2 to v0.15.0 [1][2][3][4]. If your project requires the security patches provided in golang.org/x/oauth2 v0.27.0, you can force the upgrade in your own project's go.mod file by using a replace directive, as Go modules allow downstream consumers to override dependency versions: go replace golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0 This will ensure your application uses the patched version regardless of the version pinned by ocm-sdk-go.
Citations:
- 1: https://github.com/openshift-online/ocm-sdk-go/blob/main/go.mod
- 2: https://pkg.go.dev/github.com/openshift-online/ocm-sdk-go@v0.1.503
- 3: https://pkg.go.dev/github.com/openshift-online/ocm-sdk-go/examples
- 4: https://pkg.go.dev/github.com/openshift-online/ocm-sdk-go
Resolve golang.org/x/oauth2 v0.23.0 CVE before merge using a replace directive.
The vulnerability is confirmed: GO-2025-3488 and GHSA-6v2p-p543-phr9 (CVE-2025-22868) are the same issue in golang.org/x/oauth2, with CVSS 7.5 (High severity). It involves improper validation of token input, leading to excessive memory consumption and denial-of-service risk. The fix is available in v0.27.0.
The dependency is transitive (pulled via ocm-sdk-go v0.1.456), not directly used in code. The OCM SDK does not yet include the patched version. To resolve this immediately, add a replace directive in go.mod:
replace golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0
This forces your project to use the patched version independently of the SDK's transitive chain. Monitor for OCM SDK updates that may eventually include the patch, at which point the replace directive can be removed.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[HIGH] 73-73: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2
(GO-2025-3488)
[HIGH] 73-73: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 73, There is a confirmed CVE vulnerability (GO-2025-3488 /
CVE-2025-22868) in golang.org/x/oauth2 v0.23.0 that is pulled transitively via
ocm-sdk-go v0.1.456. The vulnerability has a CVSS score of 7.5 (High severity)
and involves improper token validation leading to potential denial-of-service.
Add a replace directive in go.mod that targets golang.org/x/oauth2 and forces it
to use the patched version v0.27.0, which will override the transitive
dependency chain from ocm-sdk-go and mitigate the vulnerability until the OCM
SDK itself is updated.
Source: Linters/SAST tools
|
/retest |
|
rebase DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
8194646 to
61b2ac8
Compare
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
|
E2E Smoke Tests Failed Auto-merge has been disabled because e2e smoke tests failed. Please investigate and /retest when ready. |
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.36.2 to 1.42.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.36.2...v1.42.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-version: 1.42.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
61b2ac8 to
73f105d
Compare
|
E2E Smoke Tests Failed Auto-merge was not enabled because e2e smoke tests failed. Please investigate and /retest when ready. |
|
@dependabot[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Bumps github.com/onsi/gomega from 1.36.2 to 1.42.1.
Release notes
Sourced from github.com/onsi/gomega's releases.
... (truncated)
Changelog
Sourced from github.com/onsi/gomega's changelog.
... (truncated)
Commits
ced6c1cv1.42.12beb9fbv1.42.1 (full)006cd2cbump al lthe things35ca084v1.42.0d72697bv1.42.0 (full)1f95d86add a set of claude skills as a marketplace pluginaf2bccbv1.41.073e81f6v1.41.0 (full)e35a84ffeat: devcontainer configuration with local pkgsite and GH pagesf12e5e1fix(format): detect pointer cycles to avoid runaway formatting outputSummary by CodeRabbit