Skip to content

build(deps): bump the github-dependencies group across 1 directory with 23 updates #8575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
Closed

build(deps): bump the github-dependencies group across 1 directory with 23 updates #8575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
114 changes: 56 additions & 58 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,44 +21,44 @@ require (
github.com/IBM/platform-services-go-sdk v0.81.0
github.com/IBM/vpc-go-sdk v0.68.0
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
github.com/aws/aws-sdk-go-v2 v1.41.5
github.com/aws/aws-sdk-go-v2/config v1.32.13
github.com/aws/aws-sdk-go-v2/credentials v1.19.13
github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.12
github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.29.6
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.7
github.com/aws/aws-sdk-go-v2/service/iam v1.53.2
github.com/aws/aws-sdk-go-v2/service/kms v1.50.0
github.com/aws/aws-sdk-go-v2/service/ram v1.34.5
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.6
github.com/aws/aws-sdk-go-v2/service/route53 v1.62.1
github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
github.com/aws/aws-sdk-go-v2/service/sqs v1.42.21
github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
github.com/aws/aws-sdk-go-v2 v1.41.8
github.com/aws/aws-sdk-go-v2/config v1.32.19
github.com/aws/aws-sdk-go-v2/credentials v1.19.18
github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.2.1
github.com/aws/aws-sdk-go-v2/service/ec2 v1.304.1
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.26
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.13
github.com/aws/aws-sdk-go-v2/service/iam v1.53.11
github.com/aws/aws-sdk-go-v2/service/kms v1.52.1
github.com/aws/aws-sdk-go-v2/service/ram v1.36.6
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.32.1
github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8
github.com/aws/aws-sdk-go-v2/service/s3 v1.102.1
github.com/aws/aws-sdk-go-v2/service/sqs v1.42.28
github.com/aws/aws-sdk-go-v2/service/sts v1.42.2
github.com/aws/karpenter-provider-aws v1.8.6
github.com/aws/smithy-go v1.24.2
github.com/aws/smithy-go v1.25.1
github.com/blang/semver v3.5.1+incompatible
github.com/clarketm/json v1.17.1
github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
github.com/coreos/ignition/v2 v2.25.1
github.com/coreos/ignition/v2 v2.26.0
github.com/distribution/reference v0.6.0
github.com/docker/distribution v2.8.3+incompatible
github.com/elazarl/goproxy v1.7.2
github.com/elazarl/goproxy v1.8.4
github.com/evanphx/json-patch/v5 v5.9.11
github.com/go-jose/go-jose/v3 v3.0.5
github.com/go-logr/logr v1.4.3
github.com/go-logr/stdr v1.2.2
github.com/go-logr/zapr v1.3.0
github.com/google/cel-go v0.26.1
github.com/google/cel-go v0.28.1
github.com/google/go-cmp v0.7.0
github.com/google/gofuzz v1.2.0
github.com/google/uuid v1.6.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/k-orc/openstack-resource-controller v1.0.0
github.com/kubernetes-csi/external-snapshotter/client/v6 v6.3.0
github.com/onsi/ginkgo/v2 v2.28.1
github.com/onsi/gomega v1.39.1
github.com/onsi/ginkgo/v2 v2.29.0
github.com/onsi/gomega v1.40.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.1
github.com/openshift/api v0.0.0-20260416105050-3c6b218b8a80
Expand All @@ -71,10 +71,10 @@ require (
github.com/openshift/hypershift/api v0.0.0-20240604072534-cd2d5291e2b7
github.com/openshift/library-go v0.0.0-20251204132909-8814e976a023
github.com/openshift/multi-operator-manager v0.0.0-20260112172834-b64ebc8c627b
github.com/operator-framework/api v0.37.0
github.com/operator-framework/api v0.42.0
github.com/pkg/errors v0.9.1
github.com/ppc64le-cloud/powervs-utils v0.0.0-20250403153021-219b161805db
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.88.0
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.91.0
github.com/prometheus/client_golang v1.23.2
github.com/prometheus/client_model v0.6.2
github.com/prometheus/common v0.67.5
Expand All @@ -99,21 +99,21 @@ require (
gopkg.in/ini.v1 v1.67.2
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.35.1
k8s.io/apiextensions-apiserver v0.35.1
k8s.io/apimachinery v0.35.1
k8s.io/apiserver v0.35.1
k8s.io/api v0.35.3
k8s.io/apiextensions-apiserver v0.35.3
k8s.io/apimachinery v0.35.3
k8s.io/apiserver v0.35.3
k8s.io/autoscaler/vertical-pod-autoscaler v1.3.0
k8s.io/cli-runtime v0.35.1
k8s.io/client-go v0.35.1
k8s.io/component-base v0.35.1
k8s.io/client-go v0.35.3
k8s.io/component-base v0.35.3
k8s.io/klog v1.0.0
k8s.io/klog/v2 v2.130.1
k8s.io/klog/v2 v2.140.0
k8s.io/kube-aggregator v0.35.1
k8s.io/kube-scheduler v0.35.1
k8s.io/kubectl v0.35.1
k8s.io/pod-security-admission v0.35.1
k8s.io/utils v0.0.0-20260108192941-914a6e750570
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
kubevirt.io/api v1.8.2
kubevirt.io/containerized-data-importer-api v1.65.0
sigs.k8s.io/cluster-api v1.10.4
Expand All @@ -123,10 +123,10 @@ require (
sigs.k8s.io/cluster-api-provider-ibmcloud v0.11.0
sigs.k8s.io/cluster-api-provider-kubevirt v0.1.9
sigs.k8s.io/cluster-api-provider-openstack v0.12.1
sigs.k8s.io/controller-runtime v0.22.4
sigs.k8s.io/controller-runtime v0.23.3

@coderabbitai coderabbitai Bot May 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify conflicting controller-runtime versions declared in go.mod
rg -n 'sigs\.k8s\.io/controller-runtime' go.mod

Repository: openshift/hypershift

Length of output: 193

Fix ineffective controller-runtime bump overridden by replace in go.mod

Line 126 bumps sigs.k8s.io/controller-runtime to v0.23.3, but line 325 forces the effective version back to v0.19.7 via:
replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.19.7
This makes the bump non-effective and can obscure real compatibility/security impact—align the replace target with the intended version or document why the override is necessary.

  • Add OSV/CVE results for the bumped modules (including transitive changes).
  • Provide evidence that the release process emits SBOM/provenance attestations and signs artifacts (Sigstore/cosign) per prodsec-skills.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 126, The go.mod currently lists
sigs.k8s.io/controller-runtime v0.23.3 but a later replace directive forces
sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.19.7, making
the bump ineffective; update the replace directive to point to v0.23.3 (or
remove the replace if not required) so the intended version is effective, and
ensure the change is applied where the replace is declared (search for the
replace line mentioning sigs.k8s.io/controller-runtime). Additionally, run
dependency vulnerability scans and add OSV/CVE results for the bumped module
(including transitive dependencies) into the PR description or a security
report, and attach evidence that your release process produces SBOM/provenance
attestations and signed artifacts (Sigstore/cosign) per prodsec-skills.

sigs.k8s.io/karpenter v1.9.0
sigs.k8s.io/secrets-store-csi-driver v1.4.8
sigs.k8s.io/structured-merge-diff/v6 v6.3.1
sigs.k8s.io/structured-merge-diff/v6 v6.3.2
sigs.k8s.io/yaml v1.6.0
)

Expand All @@ -150,24 +150,23 @@ require (
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/asaskevich/govalidator/v11 v11.0.2-0.20250122183457-e11347878e23 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 // indirect
github.com/aws/aws-sdk-go-v2/service/eks v1.77.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.17 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.24 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 // indirect
github.com/awslabs/operatorpkg v0.0.0-20251222193911-34e9a1898737 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.2 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.3 // indirect
github.com/coreos/go-semver v0.3.1 // indirect
Expand Down Expand Up @@ -218,15 +217,15 @@ require (
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.7.1 // indirect
github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
github.com/googleapis/gax-go/v2 v2.22.0 // indirect
github.com/gophercloud/gophercloud/v2 v2.4.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
Expand Down Expand Up @@ -265,7 +264,6 @@ require (
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.4 // indirect
github.com/stoewer/go-strcase v1.3.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.etcd.io/etcd/pkg/v3 v3.6.11 // indirect
Expand All @@ -275,16 +273,16 @@ require (
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
go.opentelemetry.io/otel v1.43.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 // indirect
go.opentelemetry.io/otel/metric v1.43.0 // indirect
go.opentelemetry.io/otel/sdk v1.43.0 // indirect
go.opentelemetry.io/otel/trace v1.43.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v2 v2.4.4 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
golang.org/x/mod v0.35.0 // indirect
golang.org/x/sys v0.44.0 // indirect
golang.org/x/term v0.43.0 // indirect
Expand All @@ -300,11 +298,11 @@ require (
k8s.io/cloud-provider v0.35.0 // indirect
k8s.io/component-helpers v0.35.1 // indirect
k8s.io/csi-translation-lib v0.35.0 // indirect
k8s.io/kms v0.35.1 // indirect
k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
k8s.io/kms v0.35.3 // indirect
k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
k8s.io/kubelet v0.32.2 // indirect
kubevirt.io/controller-lifecycle-operator-sdk/api v0.2.4 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
sigs.k8s.io/kustomize/api v0.20.1 // indirect
Expand Down
Loading