Bump github.com/cli/go-gh/v2 from 2.4.0 to 2.13.0#99
Conversation
Bumps [github.com/cli/go-gh/v2](https://github.com/cli/go-gh) from 2.4.0 to 2.13.0. - [Release notes](https://github.com/cli/go-gh/releases) - [Commits](cli/go-gh@v2.4.0...v2.13.0) --- updated-dependencies: - dependency-name: github.com/cli/go-gh/v2 dependency-version: 2.13.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
WalkthroughThis PR updates go.mod: the Go toolchain directive changes from 1.25 to 1.25.0, and several indirect and direct dependencies are upgraded, including github.com/google/uuid, golang.org/x/sync, golang.org/x/text, github.com/cli/go-gh/v2, golang.org/x/crypto, golang.org/x/net, and golang.org/x/sys, with github.com/kr/text replaced by github.com/kr/pretty. Changesgo.mod Dependency Updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Related IssuesNone mentioned. Related PRsNone mentioned. Suggested labels: dependencies, go Suggested reviewers: N/A Poem: 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 46: The go.mod dependency pin for golang.org/x/oauth2 is using a
vulnerable version and should be updated. Bump the exact version entry in go.mod
to a patched release, and verify any related auth usage in
pkg/sources/github/github.go still builds cleanly with the new oauth2 version.
Keep the version pinned exactly as required and ensure the known CVE/OSV issue
is addressed in the dependency graph.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 3ec9be0c-e2e5-4dfe-b2cc-112cb31402ad
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| golang.org/x/net v0.17.0 // indirect | ||
| golang.org/x/crypto v0.36.0 // indirect | ||
| golang.org/x/net v0.38.0 // indirect | ||
| golang.org/x/oauth2 v0.13.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Update the vulnerable oauth2 pin.
golang.org/x/oauth2 v0.13.0 is flagged by OSV scanner (GO-2025-3488 / GHSA-6v2p-p543-phr9), and this repo uses go-gh's auth package in pkg/sources/github/github.go. Leaving it here keeps a known-vulnerable release in the graph. As per path instructions, pin exact versions and flag known CVEs in go.mod.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[HIGH] 46-46: golang.org/x/oauth2 0.13.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2
(GO-2025-3488)
[HIGH] 46-46: golang.org/x/oauth2 0.13.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 46, The go.mod dependency pin for golang.org/x/oauth2 is
using a vulnerable version and should be updated. Bump the exact version entry
in go.mod to a patched release, and verify any related auth usage in
pkg/sources/github/github.go still builds cleanly with the new oauth2 version.
Keep the version pinned exactly as required and ensure the known CVE/OSV issue
is addressed in the dependency graph.
Sources: Path instructions, Linters/SAST tools
|
@dependabot[bot]: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #99 +/- ##
=====================================
Coverage 0.00% 0.00%
=====================================
Files 34 34
Lines 1594 1594
=====================================
Misses 1594 1594 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Bumps github.com/cli/go-gh/v2 from 2.4.0 to 2.13.0.
Release notes
Sourced from github.com/cli/go-gh/v2's releases.
... (truncated)
Commits
a0a6e89Merge pull request #201 from cli/kw/bump-go-1.25.01585603Merge pull request #202 from cli/babakks/explain-resp-body-closeec8f5cadocs(pkg/api): explainHandleHTTPErrordoes not close resp body5a975a9Update Go version to 1.25.041e1e0dMerge pull request #200 from cli/babakks/upgrade-golangci-lintf6d1f60chore: upgrade to Golangci-lintv2.6b7798dcdocs: fix incorrect godoc usages32287aerefactor: lift break condition into the loopff8ebd0chore: disableQF1008fromstaticcheckrulesc6bd235chore: remove redundant/deprecated// +buildtagsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit