OADP-7565, OADP-7570, OADP-7573: Update Go to 1.25.8 and golang.org/x/* dependencies for CVE fixes by kaovilai · Pull Request #385 · openshift/openshift-velero-plugin

kaovilai · 2026-03-17T18:55:39Z

Summary

This PR updates the Go toolchain to 1.25.8 and golang.org/x/* dependencies to address multiple security vulnerabilities.

Changes

Go Toolchain Updated to 1.25.8

GO-2026-4337 (crypto/tls) - fixed in Go 1.25.7+
GO-2026-4340 (crypto/tls) - fixed in Go 1.25.6+
GO-2026-4341 (net/url) - fixed in Go 1.25.6+
GO-2026-4342 (archive/zip) - fixed in Go 1.25.6+
CVE-2026-25679 (net/url IPv6 host parsing) - fixed in Go 1.25.8+
CVE-2026-27137 (crypto/x509 email constraints) - fixed in Go 1.25.8+

golang.org/x/* Dependencies Updated

golang.org/x/crypto v0.39.0 => v0.49.0 (CVE fixes: GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
golang.org/x/net v0.41.0 => v0.52.0 (CVE fix: GHSA-vvgc-356p-c3xw)
golang.org/x/sync v0.15.0 => v0.20.0
golang.org/x/sys v0.33.0 => v0.42.0
golang.org/x/term v0.32.0 => v0.41.0
golang.org/x/text v0.26.0 => v0.35.0

Dockerfile Changes

konflux.Dockerfile: Updated to rhel_9_golang_1.25

Test Plan

Built successfully with go build ./...
Dependencies verified with go mod tidy

Jira Tickets

🤖 Generated with Claude Code

openshift-ci-robot · 2026-03-17T18:55:45Z

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

This pull request references OADP-7570 which is a valid jira issue.

This pull request references OADP-7573 which is a valid jira issue.

Details

In response to this:

Summary

This PR updates the Go toolchain to 1.25.8 and golang.org/x/* dependencies to address multiple security vulnerabilities.

Changes

Go Toolchain Updated to 1.25.8

GO-2026-4337 (crypto/tls) - fixed in Go 1.25.7+

GO-2026-4340 (crypto/tls) - fixed in Go 1.25.6+

GO-2026-4341 (net/url) - fixed in Go 1.25.6+

GO-2026-4342 (archive/zip) - fixed in Go 1.25.6+

CVE-2026-25679 (net/url IPv6 host parsing) - fixed in Go 1.25.8+

CVE-2026-27137 (crypto/x509 email constraints) - fixed in Go 1.25.8+

golang.org/x/* Dependencies Updated

golang.org/x/crypto v0.39.0 => v0.49.0 (CVE fixes: GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)

golang.org/x/net v0.41.0 => v0.52.0 (CVE fix: GHSA-vvgc-356p-c3xw)

golang.org/x/sync v0.15.0 => v0.20.0

golang.org/x/sys v0.33.0 => v0.42.0

golang.org/x/term v0.32.0 => v0.41.0

golang.org/x/text v0.26.0 => v0.35.0

Dockerfile Changes

konflux.Dockerfile: Updated to rhel_9_golang_1.25

Test Plan

Built successfully with go build ./...

Dependencies verified with go mod tidy

Jira Tickets

OADP-7565

OADP-7570 (CVE-2026-27137)

OADP-7573 (CVE-2026-25679)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-03-17T18:55:46Z

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07538dac-4813-4ba0-a251-8f2732076ae4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2026-03-17T18:55:54Z

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

This pull request references OADP-7570 which is a valid jira issue.

This pull request references OADP-7573 which is a valid jira issue.

Details

In response to this:

Summary

This PR updates the Go toolchain to 1.25.8 and golang.org/x/* dependencies to address multiple security vulnerabilities.

Changes

Go Toolchain Updated to 1.25.8

GO-2026-4337 (crypto/tls) - fixed in Go 1.25.7+

GO-2026-4340 (crypto/tls) - fixed in Go 1.25.6+

GO-2026-4341 (net/url) - fixed in Go 1.25.6+

GO-2026-4342 (archive/zip) - fixed in Go 1.25.6+

CVE-2026-25679 (net/url IPv6 host parsing) - fixed in Go 1.25.8+

CVE-2026-27137 (crypto/x509 email constraints) - fixed in Go 1.25.8+

golang.org/x/* Dependencies Updated

golang.org/x/crypto v0.39.0 => v0.49.0 (CVE fixes: GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)

golang.org/x/net v0.41.0 => v0.52.0 (CVE fix: GHSA-vvgc-356p-c3xw)

golang.org/x/sync v0.15.0 => v0.20.0

golang.org/x/sys v0.33.0 => v0.42.0

golang.org/x/term v0.32.0 => v0.41.0

golang.org/x/text v0.26.0 => v0.35.0

Dockerfile Changes

konflux.Dockerfile: Updated to rhel_9_golang_1.25

Test Plan

Built successfully with go build ./...

Dependencies verified with go mod tidy

Jira Tickets

OADP-7565

OADP-7570 (CVE-2026-27137)

OADP-7573 (CVE-2026-25679)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Copilot

Pull request overview

Updates the project’s Go toolchain and golang.org/x/* module dependencies to pick up security/CVE fixes, and aligns the Konflux build image with the newer Go major/minor version.

Changes:

Bumps go.mod Go version to 1.25.8 and updates golang.org/x/* dependencies to newer releases.
Refreshes go.sum entries to match updated module versions.
Updates konflux.Dockerfile builder image tag to rhel_9_golang_1.25.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
`konflux.Dockerfile`	Moves Konflux builder image from Go 1.24 to Go 1.25 stream.
`go.mod`	Updates declared Go version and bumps `golang.org/x/*` indirect dependency versions.
`go.sum`	Updates module checksums corresponding to the dependency bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod

-go 1.23.0
-
-toolchain go1.23.6
+go 1.25.8


mpryc · 2026-03-18T10:09:28Z

/hold unit tests are failing, before they were ok

…/* dependencies for CVE fixes This commit addresses multiple security vulnerabilities: Go Toolchain Updated to 1.25.8: - GO-2026-4337 (crypto/tls) - fixed in Go 1.25.7+ - GO-2026-4340 (crypto/tls) - fixed in Go 1.25.6+ - GO-2026-4341 (net/url) - fixed in Go 1.25.6+ - GO-2026-4342 (archive/zip) - fixed in Go 1.25.6+ - CVE-2026-25679 (net/url IPv6 host parsing) - fixed in Go 1.25.8+ - CVE-2026-27137 (crypto/x509 email constraints) - fixed in Go 1.25.8+ golang.org/x/* Dependencies Updated: - golang.org/x/crypto v0.39.0 => v0.49.0 (CVE fixes: GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv) - golang.org/x/net v0.41.0 => v0.52.0 (CVE fix: GHSA-vvgc-356p-c3xw) - golang.org/x/sync v0.15.0 => v0.20.0 - golang.org/x/sys v0.33.0 => v0.42.0 - golang.org/x/term v0.32.0 => v0.41.0 - golang.org/x/text v0.26.0 => v0.35.0 Dockerfile Changes: - konflux.Dockerfile: Updated to rhel_9_golang_1.25 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

openshift-ci · 2026-03-19T02:14:23Z

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

kaovilai · 2026-03-19T02:30:14Z

/unhold passing

kaovilai · 2026-03-19T02:30:24Z

/cc @mpryc

weshayutin

/LGTM

openshift-ci · 2026-03-23T16:18:28Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI review requested due to automatic review settings March 17, 2026 18:55

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 17, 2026

openshift-ci bot requested review from eemcmullan and shubham-pampattiwar March 17, 2026 18:56

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 17, 2026

Copilot started reviewing on behalf of kaovilai March 17, 2026 18:56 View session

Copilot AI reviewed Mar 17, 2026

View reviewed changes

go.mod Outdated

go 1.23.0

toolchain go1.23.6

go 1.25.8

kaovilai force-pushed the oadp15udist branch from 06ad221 to 013ea21 Compare March 17, 2026 19:07

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 18, 2026

kaovilai force-pushed the oadp15udist branch from 013ea21 to e5c4fa3 Compare March 19, 2026 01:57

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 19, 2026

openshift-ci bot requested a review from mpryc March 19, 2026 02:30

weshayutin approved these changes Mar 23, 2026

View reviewed changes

openshift-ci bot assigned weshayutin Mar 23, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 23, 2026

Conversation

kaovilai commented Mar 17, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Go Toolchain Updated to 1.25.8

golang.org/x/* Dependencies Updated

Dockerfile Changes

Test Plan

Jira Tickets

Uh oh!

openshift-ci-robot commented Mar 17, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Go Toolchain Updated to 1.25.8

golang.org/x/* Dependencies Updated

Dockerfile Changes

Test Plan

Jira Tickets

Uh oh!

coderabbitai bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

openshift-ci-robot commented Mar 17, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Go Toolchain Updated to 1.25.8

golang.org/x/* Dependencies Updated

Dockerfile Changes

Test Plan

Jira Tickets

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

mpryc commented Mar 18, 2026

Uh oh!

openshift-ci bot commented Mar 19, 2026

Uh oh!

kaovilai commented Mar 19, 2026

Uh oh!

kaovilai commented Mar 19, 2026

Uh oh!

weshayutin left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

kaovilai commented Mar 17, 2026 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Mar 17, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Mar 17, 2026 •

edited

Loading

openshift-ci-robot commented Mar 17, 2026 •

edited by openshift-ci bot

Loading