Skip to content

Bump github.com/onsi/gomega from 1.36.2 to 1.42.1#86

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/onsi/gomega-1.42.1
Open

Bump github.com/onsi/gomega from 1.36.2 to 1.42.1#86
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/onsi/gomega-1.42.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/onsi/gomega from 1.36.2 to 1.42.1.

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.1

1.42.1

Bump Dependencies

v1.42.0

1.42.0

Add a set of Claude skill as a marketplace plugin

v1.41.0

No release notes provided.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

v1.39.1

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

v1.39.0

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

v1.38.3

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

v1.38.2

1.38.2

  • roll back to go 1.23.0 [c404969]

v1.38.1

1.38.1

Fixes

... (truncated)

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.1

Bump Dependencies

1.42.0

Add a set of Claude skill as a marketplace plugin

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

1.38.2

  • roll back to go 1.23.0 [c404969]

1.38.1

Fixes

Numerous minor fixes and dependency bumps

... (truncated)

Commits

Summary by CodeRabbit

  • Chores
    • Updated the Go toolchain version.
    • Refreshed several project dependencies, including test and utility libraries, to newer releases for compatibility and maintenance.

@dependabot dependabot Bot added area/dependency Issues or PRs related to dependency changes ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f6819b5f-8b79-4d66-95a4-e5becba3de7f

📥 Commits

Reviewing files that changed from the base of the PR and between 8194646 and 73f105d.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Walkthrough

go.mod updates the Go toolchain directive to 1.25.0, upgrades the direct test dependency github.com/onsi/gomega, and refreshes several indirect dependencies including go-cmp, golang.org/x/*, go.yaml.in/yaml/v3, and google.golang.org/protobuf.

Changes

Go toolchain and dependency updates

Layer / File(s) Summary
Go toolchain and direct dependency
go.mod
The Go directive changes to 1.25.0, and github.com/onsi/gomega is upgraded from v1.36.2 to v1.42.1.
Indirect dependency refresh
go.mod
github.com/google/go-cmp is updated from v0.6.0 to v0.7.0; go.yaml.in/yaml/v3 is set to v3.0.4; several golang.org/x/* modules are bumped; and google.golang.org/protobuf is updated from v1.36.1 to v1.36.7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title correctly names the main dependency bump in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed Diff is limited to go.mod/go.sum dependency bumps; no MD5/SHA1/DES/RC4/3DES/Blowfish, custom crypto, or secret comparisons added.
Container-Privileges ✅ Passed PR is dependency-only (go.mod/go.sum); scans found no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation settings in manifests.
No-Sensitive-Data-In-Logs ✅ Passed Only go.mod/go.sum dependency bumps are present; no logging code or sensitive-data output was added or changed.
No-Hardcoded-Secrets ✅ Passed Only go.mod/go.sum changed for dependency bumps; no API keys, tokens, passwords, private keys, credential URLs, or suspicious literals found.
No-Injection-Vectors ✅ Passed No listed injection patterns were introduced; searches found none, and YAML parsing uses yaml.v3 Unmarshal/NewDecoder rather than unsafe yaml.load.
Ai-Attribution ✅ Passed No AI-tool usage is claimed in the commit/PR; only a Dependabot Signed-off-by trailer is present, with no Assisted-by/Generated-by or Co-Authored-By.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/github.com/onsi/gomega-1.42.1

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from dustman9000 and gdbranco June 24, 2026 04:12
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign gdbranco for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions

Copy link
Copy Markdown

/retest

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 73: The golang.org/x/oauth2 dependency at version v0.23.0 contains a
HIGH-severity CVE-2025-22868 vulnerability related to improper token validation.
Update the golang.org/x/oauth2 dependency entry in go.mod from v0.23.0 to
v0.27.0 or later (v0.36.0 is the latest as of June 2026). Since oauth2 is a
transitive dependency, you can either directly update the version in the go.mod
file or bump the OCM SDK version if it brings in a patched version of oauth2.
- Line 73: There is a confirmed CVE vulnerability (GO-2025-3488 /
CVE-2025-22868) in golang.org/x/oauth2 v0.23.0 that is pulled transitively via
ocm-sdk-go v0.1.456. The vulnerability has a CVSS score of 7.5 (High severity)
and involves improper token validation leading to potential denial-of-service.
Add a replace directive in go.mod that targets golang.org/x/oauth2 and forces it
to use the patched version v0.27.0, which will override the transitive
dependency chain from ocm-sdk-go and mitigate the vulnerability until the OCM
SDK itself is updated.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 92abf44b-d762-4a2d-9ef8-271c3e657a3d

📥 Commits

Reviewing files that changed from the base of the PR and between f623c4b and 8194646.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
golang.org/x/net v0.33.0 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/net v0.56.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if oauth2 is directly or transitively used in the codebase
rg -nP '\boauth2\b' --type go -g '!go.mod' | head -20

Repository: openshift-online/rosa-e2e

Length of output: 163


🌐 Web query:

What are the latest security patches available for golang.org/x/oauth2 and which versions address CVE GO-2025-3488 and GHSA-6v2p-p543-phr9?

💡 Result:

The vulnerability affecting golang.org/x/oauth2 is identified as GO-2025-3488 [1][2], which is also tracked as CVE-2025-22868 and GHSA-6v2p-p543-phr9 [3][4][5]. This issue involves improper validation of input during token parsing, allowing an attacker to pass a maliciously malformed token that causes unexpected memory consumption [1][5]. This vulnerability was addressed in golang.org/x/oauth2 version 0.27.0 [1][5]. To remediate the issue, users should update the package to version 0.27.0 or any later release [1][6]. As of June 2026, the latest available version is v0.36.0, which includes this fix [6][7].

Citations:


🌐 Web query:

Does golang.org/x/oauth2 v0.24.0 or later exist as a patch for these vulnerabilities?

💡 Result:

No, golang.org/x/oauth2 version v0.24.0 does not serve as a patch for the known security vulnerability affecting this package [1][2]. The vulnerability in question is CVE-2025-22868 (also tracked as GO-2025-3488), which involves unexpected memory consumption during token parsing in the golang.org/x/oauth2/jws package [1][3][2]. This vulnerability affects all versions of the package prior to v0.27.0 [1][3][4]. Version v0.24.0 was released on October 31, 2024 [5][6], whereas the patch for this vulnerability (v0.27.0) was released on February 24, 2025 [2]. To mitigate this vulnerability, you must update your dependency to at least v0.27.0 [1][3].

Citations:


Update golang.org/x/oauth2 to v0.27.0 or later to address HIGH-severity CVE.

Static analysis detected CVE-2025-22868 (GO-2025-3488 / GHSA-6v2p-p543-phr9) in golang.org/x/oauth2 v0.23.0: improper validation during token parsing allows maliciously malformed tokens to cause unexpected memory consumption.

The fix is available in golang.org/x/oauth2 v0.27.0 (released February 24, 2025) and later versions (latest: v0.36.0 as of June 2026). Although oauth2 is only used as a transitive dependency in this codebase, update the dependency chain—either by bumping OCM SDK or by directly pinning v0.27.0+ in go.mod—to incorporate the patch.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 73-73: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)


[HIGH] 73-73: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 73, The golang.org/x/oauth2 dependency at version v0.23.0
contains a HIGH-severity CVE-2025-22868 vulnerability related to improper token
validation. Update the golang.org/x/oauth2 dependency entry in go.mod from
v0.23.0 to v0.27.0 or later (v0.36.0 is the latest as of June 2026). Since
oauth2 is a transitive dependency, you can either directly update the version in
the go.mod file or bump the OCM SDK version if it brings in a patched version of
oauth2.

Source: Linters/SAST tools


🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if oauth2 is directly referenced in the codebase (not just go.mod)
rg -nP '\boauth2\b' --type go -g '!{go.mod,go.sum}' | head -20

Repository: openshift-online/rosa-e2e

Length of output: 163


🌐 Web query:

Are there patched versions of golang.org/x/oauth2 (v0.24.0 or later) that fix GO-2025-3488 and GHSA-6v2p-p543-phr9?

💡 Result:

Yes, there are patched versions of golang.org/x/oauth2 that address these vulnerabilities. Both GO-2025-3488 and GHSA-6v2p-p543-phr9 refer to the same vulnerability, CVE-2025-22868, which involves improper validation of input in the package that can lead to excessive memory consumption and a denial-of-service (DoS) condition [1][2][3]. This vulnerability was fixed in golang.org/x/oauth2 version 0.27.0 [1][4][5]. If you are using version 0.24.0 or any other version prior to 0.27.0, you should upgrade to version 0.27.0 or a later release to remediate this issue [1][5].

Citations:


🌐 Web query:

What is the current status and CVSS score for CVE GO-2025-3488 and GHSA-6v2p-p543-phr9 in golang.org/x/oauth2?

💡 Result:

The vulnerability identified as GO-2025-3488 and GHSA-6v2p-p543-phr9 refers to the same security issue in the golang.org/x/oauth2 package, specifically within the golang.org/x/oauth2/jws sub-package [1][2][3]. This vulnerability is assigned the CVE identifier CVE-2025-22868 [1][4][5]. Status and Details: - Current Status: Fixed. The vulnerability was addressed in version 0.27.0 of golang.org/x/oauth2 [1][4]. - Vulnerability Type: The issue involves unexpected memory consumption during token parsing, which can lead to a denial of service [1][4][3]. It is categorized as improper validation of syntactic correctness of input (CWE-1286) [3] and allocation of resources without limits or throttling [5]. - CVSS Score: The vulnerability has a CVSS v3 base score of 7.5 (High) [3][6]. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [3].

Citations:


🏁 Script executed:

# Check the go.mod file to understand the dependency structure
head -100 go.mod

Repository: openshift-online/rosa-e2e

Length of output: 4246


🏁 Script executed:

# Search for OCM SDK and other key dependencies to understand the dependency chain
grep -E 'github.com/openshift-online/ocm-sdk-go|golang.org/x/oauth2' go.mod

Repository: openshift-online/rosa-e2e

Length of output: 253


🏁 Script executed:

# Check if there are any direct oauth2 imports in the actual code
find . -name '*.go' -path '*/test/*' -o -path '*/pkg/*' | head -1 | xargs grep -l "oauth2" 2>/dev/null | head -5

Repository: openshift-online/rosa-e2e

Length of output: 163


🏁 Script executed:

# Check if there's a newer version of OCM SDK available and what oauth2 version it uses
# First, let's see if we can find information about OCM SDK dependency chains
rg 'ocm-sdk-go' go.mod -A 2

Repository: openshift-online/rosa-e2e

Length of output: 257


🌐 Web query:

What version of github.com/openshift-online/ocm-sdk-go includes golang.org/x/oauth2 v0.27.0 or later (the patched version)?

💡 Result:

As of June 24, 2026, the github.com/openshift-online/ocm-sdk-go library does not include golang.org/x/oauth2 version v0.27.0 or later as a direct dependency. Official module data indicates that current versions of the SDK, including recent releases, continue to pin golang.org/x/oauth2 to v0.15.0 [1][2][3][4]. If your project requires the security patches provided in golang.org/x/oauth2 v0.27.0, you can force the upgrade in your own project's go.mod file by using a replace directive, as Go modules allow downstream consumers to override dependency versions: go replace golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0 This will ensure your application uses the patched version regardless of the version pinned by ocm-sdk-go.

Citations:


Resolve golang.org/x/oauth2 v0.23.0 CVE before merge using a replace directive.

The vulnerability is confirmed: GO-2025-3488 and GHSA-6v2p-p543-phr9 (CVE-2025-22868) are the same issue in golang.org/x/oauth2, with CVSS 7.5 (High severity). It involves improper validation of token input, leading to excessive memory consumption and denial-of-service risk. The fix is available in v0.27.0.

The dependency is transitive (pulled via ocm-sdk-go v0.1.456), not directly used in code. The OCM SDK does not yet include the patched version. To resolve this immediately, add a replace directive in go.mod:

replace golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0

This forces your project to use the patched version independently of the SDK's transitive chain. Monitor for OCM SDK updates that may eventually include the patch, at which point the replace directive can be removed.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 73-73: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)


[HIGH] 73-73: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 73, There is a confirmed CVE vulnerability (GO-2025-3488 /
CVE-2025-22868) in golang.org/x/oauth2 v0.23.0 that is pulled transitively via
ocm-sdk-go v0.1.456. The vulnerability has a CVSS score of 7.5 (High severity)
and involves improper token validation leading to potential denial-of-service.
Add a replace directive in go.mod that targets golang.org/x/oauth2 and forces it
to use the patched version v0.27.0, which will override the transitive
dependency chain from ocm-sdk-go and mitigate the vulnerability until the OCM
SDK itself is updated.

Source: Linters/SAST tools

@github-actions

Copy link
Copy Markdown

/retest

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.42.1 branch from 8194646 to 61b2ac8 Compare June 30, 2026 18:11
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2026
@github-actions github-actions Bot enabled auto-merge (squash) June 30, 2026 18:11
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}

@github-actions github-actions Bot disabled auto-merge June 30, 2026 18:17
@github-actions

Copy link
Copy Markdown

E2E Smoke Tests Failed

Auto-merge has been disabled because e2e smoke tests failed. Please investigate and /retest when ready.

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.36.2 to 1.42.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.36.2...v1.42.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.42.1 branch from 61b2ac8 to 73f105d Compare June 30, 2026 21:58
@github-actions

Copy link
Copy Markdown

E2E Smoke Tests Failed

Auto-merge was not enabled because e2e smoke tests failed. Please investigate and /retest when ready.

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main 8194646 link true /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main
ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main 8194646 link true /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main
ci/prow/e2e-rosa-hcp-smoke 73f105d link false /test e2e-rosa-hcp-smoke
ci/prow/e2e-rosa-classic-smoke 73f105d link false /test e2e-rosa-classic-smoke
ci/prow/unit 73f105d link true /test unit
ci/prow/upgrade-images 73f105d link true /test upgrade-images
ci/prow/periodics-images 73f105d link true /test periodics-images
ci/prow/images 73f105d link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/dependency Issues or PRs related to dependency changes ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants