Skip to content

chore(deps): bump golang.org/x/crypto, x/net, and x/mod to latest#1670

Open
rohanKanojia wants to merge 1 commit into
devfile:mainfrom
rohankanojia-forks:chore/deps-bump-go-toolchain-x-crypto-x-net
Open

chore(deps): bump golang.org/x/crypto, x/net, and x/mod to latest#1670
rohanKanojia wants to merge 1 commit into
devfile:mainfrom
rohankanojia-forks:chore/deps-bump-go-toolchain-x-crypto-x-net

Conversation

@rohanKanojia

@rohanKanojia rohanKanojia commented Jul 10, 2026

Copy link
Copy Markdown
Member

What does this PR do?

Updates Go module dependencies to their latest available versions:

Package Previous Updated
golang.org/x/crypto v0.52.0 v0.54.0
golang.org/x/net v0.55.0 v0.57.0
golang.org/x/mod v0.35.0 v0.38.0

Transitive golang.org/x/* dependencies (sys, text, tools, sync, term) were updated via go mod tidy.

This follows the same approach as #1659, extending it to the latest module versions. This is a routine maintenance bump only; the previously reported CVEs (e.g. in golang.org/x/crypto and golang.org/x/net) were already addressed on main by earlier dependency updates (#1659 for x/crypto/x/net, #1621 for go-billy via go-git).

What issues does this PR fix or reference?

N/A — maintenance dependency bump, not a CVE fix.

Is it tested? How?

make test

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@rohanKanojia, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 25 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 35e8b9fd-57cc-4ad6-8859-f00f22b7b73c

📥 Commits

Reviewing files that changed from the base of the PR and between 855fdc3 and eaadb82.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@tolusha

tolusha commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant ok-pr-readiness — Ensure PR has validation steps
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant update-che-e2e-tests — Update Eclipse Che e2e tests
  • /che-ai-assistant help — Show this help message

@rohanKanojia rohanKanojia force-pushed the chore/deps-bump-go-toolchain-x-crypto-x-net branch from 3b35819 to 8f41223 Compare July 10, 2026 05:40
@tolusha

tolusha commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

/che-ai-assistant ok-pr-readiness

Task completed.

@tolusha

tolusha commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Readiness Assessment: PR #1670 — chore(deps): bump golang.org/x/crypto, x/net, and x/mod to latest

Repository: devfile/devworkspace-operator
Linked Issue: None found (addresses multiple CVE tracker items)


# Criterion Verdict Notes
1 Problem Statement PASS CVE vulnerabilities in golang.org/x dependencies clearly identified with specific CVE numbers
2 Reproduction Steps WARN Security vulnerabilities don't require traditional reproduction steps, but no guidance on how to verify vulnerable versions are present before the fix
3 Expected Behavior After Fix PASS Updated dependency versions clearly stated; expected outcome is CVE remediation
4 Scope of Changes PASS Clean dependency update with only go.mod and go.sum changes; transitive dependencies explained
5 Test Evidence PASS make test mentioned; PR checklist includes e2e test triggers
6 Deployment & Verification Notes WARN Mentions need to rebuild/redeploy images, but lacks specific verification commands to confirm CVE remediation in deployed binaries

Overall: NEEDS WORK


Missing Information

  • Pre-fix verification guidance: Add commands to check current vulnerable dependency versions before applying the fix (e.g., go list -m golang.org/x/crypto golang.org/x/net)
  • Post-deployment verification steps: Provide specific commands to verify the updated dependencies are present in rebuilt container images (e.g., using go version -m on binaries inside controller/webhook/project-clone images, or container image vulnerability scanning)
  • CVE validation: Include commands or tools to confirm the specific CVEs are remediated after deployment (e.g., vulnerability scanner output, dependency version checks in running pods)

What's Good

  • Clear problem statement: All affected CVEs are explicitly listed with their associated packages
  • Transparent scope: The PR clearly explains what's updated (direct dependencies) and what's not (toolchain, go-git)
  • Version comparison table: Makes it easy to see exactly what changed
  • Testing coverage: Includes both unit tests (make test) and e2e test triggers in the checklist
  • Deployment awareness: Explicitly notes that images need to be rebuilt to pick up the changes
  • Reference to prior work: Links to Update go toolchain, x/crypto, x/net #1659 showing this follows an established pattern

Update golang.org/x/crypto v0.52.0 → v0.54.0, golang.org/x/net v0.55.0 →
v0.57.0, and golang.org/x/mod v0.35.0 → v0.38.0 as a routine maintenance
bump to the latest available module versions.

Assisted-by: Auto
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@rohanKanojia rohanKanojia force-pushed the chore/deps-bump-go-toolchain-x-crypto-x-net branch from 8f41223 to eaadb82 Compare July 10, 2026 06:13
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.25%. Comparing base (17aefae) to head (eaadb82).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1670      +/-   ##
==========================================
+ Coverage   37.17%   40.25%   +3.07%     
==========================================
  Files         168      171       +3     
  Lines       14761    15607     +846     
==========================================
+ Hits         5488     6283     +795     
- Misses       8921     8937      +16     
- Partials      352      387      +35     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants