fix(deps): update gomod dependencies#3259
Conversation
red-hat-konflux
Bot
added
approved
|
|
There are test jobs defined for this repository which are not configured to run automatically. Comment |
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 59: The github.com/gomarkdown/markdown dependency is pinned to a
vulnerable version (v0.0.0-20260217112301-37c66b85d6ab) that is susceptible to
CVE-2026-40890 with a CVSS score of 7.5 due to an out-of-bounds read in
SmartypantsRenderer. Update the version of github.com/gomarkdown/markdown in the
go.mod file to a patched version such as v0.0.0-20260614204949-e08cff860f76 or
any later version that includes the fix committed on April 10, 2026.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: a0d29158-e7c8-45e3-826f-3322c44b02f7
📒 Files selected for processing (1)
go.mod
|
|
||
| require ( | ||
| github.com/golang-jwt/jwt/v4 v4.5.2 | ||
| github.com/gomarkdown/markdown v0.0.0-20260217112301-37c66b85d6ab |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GHSA-77fj-vx54-gvh7 gomarkdown markdown out-of-bounds read vulnerability details
💡 Result:
GHSA-77fj-vx54-gvh7, also tracked as CVE-2026-40890, is a security vulnerability in the gomarkdown/markdown Go library that causes an out-of-bounds read or a panic [1][2]. The vulnerability occurs specifically within the SmartypantsRenderer component [1][3]. When the library processes malformed input containing a '<' character that is not followed by a '>' character anywhere in the remaining text, the smartLeftAngle function performs an out-of-bounds slice operation [1]. This behavior can lead to a denial-of-service (DoS) condition if the application panics [1][4]. Technical details: - Affected Component: SmartypantsRenderer [1] - Vulnerability Type: Out-of-bounds Read (CWE-125) [1] - Impact: Denial of Service / Panic [1][4] - Fix: The issue was addressed in commit 759bbc3e32073c3bc4e25969c132fc520eda2778 [1][2]. Users of the library are advised to update their dependency to a version containing this patch to mitigate the risk [2].
Citations:
- 1: GHSA-77fj-vx54-gvh7
- 2: https://nvd.nist.gov/vuln/detail/CVE-2026-40890
- 3: https://advisories.gitlab.com/golang/github.com/gomarkdown/markdown/GHSA-77fj-vx54-gvh7/
- 4: https://test.osv.dev/vulnerability/GHSA-77fj-vx54-gvh7
🏁 Script executed:
# Check if we can fetch information about the gomarkdown/markdown commit
# The pseudo-version indicates commit 37c66b85d6ab from Feb 17, 2026
# We need to verify if this includes the fix commit 759bbc3e32073c3bc4e25969c132fc520eda2778
# First, let's try to check if there's any git history or refs available
cd /tmp && git clone --depth 100 https://github.com/gomarkdown/markdown.git 2>&1 | head -20 || trueRepository: openshift/osde2e
Length of output: 149
🌐 Web query:
gomarkdown/markdown commit 759bbc3e32073c3bc4e25969c132fc520eda2778 GHSA-77fj-vx54-gvh7 fix merged when
💡 Result:
The commit 759bbc3e32073c3bc4e25969c132fc520eda2778 in the gomarkdown/markdown repository, which addresses the vulnerability identified as GHSA-77fj-vx54-gvh7 (CVE-2026-40890), was authored on April 10, 2026 [1]. This patch corrects an out-of-bounds read vulnerability in the SmartypantsRenderer [1][2]. Although the commit itself is dated April 10, 2026 [1], the associated security advisory (GHSA-77fj-vx54-gvh7) was published on April 13, 2026 [2]. The fix ensures that the library correctly handles malformed input containing a '<' character not followed by a '>' character, preventing potential service panics or out-of-bounds reads [3][2].
Citations:
- 1: gomarkdown/markdown@759bbc3
- 2: GHSA-77fj-vx54-gvh7
- 3: https://nvd.nist.gov/vuln/detail/CVE-2026-40890
🌐 Web query:
gomarkdown/markdown v0.0.0-20260217112301 release date vulnerability status
💡 Result:
The Go package github.com/gomarkdown/markdown version v0.0.0-20260217112301-37c66b85d6ab was released on February 17, 2026 [1][2]. Regarding its vulnerability status, this version is affected by CVE-2026-40890 (GHSA-77fj-vx54-gvh7) [3][4]. This vulnerability involves an out-of-bounds read or potential panic when using a SmartypantsRenderer to process malformed input containing a '<' character that is not followed by a '>' character [3][4]. The issue was officially documented and assigned a CVSS v3.1 base score of 7.5 (High) [3][4]. Users of this package are advised to upgrade to a version containing the fix, which is commit 759bbc3e32073c3bc4e25969c132fc520eda2778 [4]. Current registry data indicates that later versions, such as v0.0.0-20260614204949-e08cff860f76, are available [5].
Citations:
- 1: https://deps.dev/go/github.com%2Fgomarkdown%2Fmarkdown/v0.0.0-20260217112301-37c66b85d6ab
- 2: chore: upgrade github.com/gomarkdown/markdown to latest version kubernetes-sigs/descheduler#1831
- 3: GHSA-77fj-vx54-gvh7
- 4: https://nvd.nist.gov/vuln/detail/CVE-2026-40890
- 5: https://pkg.go.dev/github.com/gomarkdown/markdown
Update gomarkdown/markdown to patched version before merge.
The version v0.0.0-20260217112301-37c66b85d6ab (February 17, 2026) is vulnerable to CVE-2026-40890 / GHSA-77fj-vx54-gvh7 (out-of-bounds read in SmartypantsRenderer, CVSS 7.5). The fix was committed April 10, 2026. Upgrade to a patched version such as v0.0.0-20260614204949-e08cff860f76 or later.
🧰 Tools
🪛 OSV Scanner (2.3.8)
[HIGH] 59-59: github.com/gomarkdown/markdown 0.0.0-20260217112301-37c66b85d6ab: Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 59, The github.com/gomarkdown/markdown dependency is pinned
to a vulnerable version (v0.0.0-20260217112301-37c66b85d6ab) that is susceptible
to CVE-2026-40890 with a CVSS score of 7.5 due to an out-of-bounds read in
SmartypantsRenderer. Update the version of github.com/gomarkdown/markdown in the
go.mod file to a patched version such as v0.0.0-20260614204949-e08cff860f76 or
any later version that includes the fix committed on April 10, 2026.
Source: Linters/SAST tools
|
/hold Revision b8569c5 was retested 3 times: holding |
openshift-ci
Bot
added
the
do-not-merge/hold
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/main/gomod-dependencies
branch
from
b8569c5 to
bd3263d
Compare
|
New changes are detected. LGTM label has been removed. |
|
@red-hat-konflux[bot]: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
v1.21.1→v1.31.0v3.4.0→v3.5.0v1.10.2→v1.12.0v1.9.0→v1.10.137c66b8→e08cff8v1.7.0→v1.9.0v0.9.2→v0.9.5v0.23.0→v0.25.2v2.28.1→v2.31.0v2.32.0v1.39.1→v1.42.0v1.42.1v0.30.0→v0.44.0v0.22.0→v0.45.0v0.74.0→v0.92.0v0.74.0→v0.92.0v1.12.0→v1.15.0v1.10.0→v1.10.2v1.0.9→v1.0.10v1.19.0→v1.21.0v1.10.2→v1.18.1v0.227.0→v0.285.0v0.286.0v1.51.0→v1.61.0v1.62.0v0.21.0→v0.24.1v0.6.0→v0.7.0Release Notes
Masterminds/semver (github.com/Masterminds/semver/v3)
v3.5.0Compare Source
What's Changed
New Contributors
Full Changelog: Masterminds/semver@v3.4.0...v3.5.0
PuerkitoBio/goquery (github.com/PuerkitoBio/goquery)
v1.12.0Compare Source
Note that Go1.25 is now required (use goquery < 1.12.0 if you can't use go1.25+, see README for version details).
v1.11.0Compare Source
Note that Go1.24 is now required (use goquery < 1.11.0 if you can't use go1.24+).
v1.10.3Compare Source
Update dependencies and a small memory optimization.
fsnotify/fsnotify (github.com/fsnotify/fsnotify)
v1.10.1Compare Source
Changes and fixes
inotify: don't remove sibling watches sharing a path prefix (#754)
inotify, windows: don't rename sibling watches sharing a path prefix
(#755)
v1.10.0Compare Source
This version of fsnotify needs Go 1.23.
Changes and fixes
inotify: improve initialization error message (#731)
inotify: send Rename event if recursive watch is renamed (#696)
inotify: avoid copying event buffers when reading names (#741)
kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a bad entry no longer aborts Watcher.Add for the whole directory (#748)
kqueue: drop watches directly in Close() to fix a file descriptor leak when recycling watchers (#740)
windows: fix nil pointer dereference in remWatch (#736)
windows: lock watch field updates against concurrent WatchList to fix a race introduced in v1.9.0 (#709, #749)
hashicorp/go-version (github.com/hashicorp/go-version)
v1.9.0Compare Source
What's Changed
Enhancements
Internal
New Contributors
Full Changelog: hashicorp/go-version@v1.8.0...v1.9.0
v1.8.0Compare Source
What's Changed
New Contributors
Full Changelog: hashicorp/go-version@v1.7.0...v1.8.0
hashicorp/hc-install (github.com/hashicorp/hc-install)
v0.9.5Compare Source
v0.9.4Compare Source
ENHANCEMENTS:
go.modif Go versions mismatch (#368)BUG FIXES:
DEPENDENCIES:
INTERNAL:
v0.9.3Compare Source
DEPENDENCIES:
INTERNAL:
hashicorp/terraform-exec (github.com/hashicorp/terraform-exec)
v0.25.2Compare Source
NOTES:
DEPENDENCIES:
v0.25.1Compare Source
DEPENDENCIES:
v0.25.0Compare Source
NOTES:
ENHANCEMENTS:
terraform workspacesubcommands (#556)-generate-config-outto the(Terraform).Plan()method (#563)providers mirrorsubcommand (#551)DEPENDENCIES:
v0.24.0Compare Source
ENHANCEMENTS:
QueryJSONand introduce new way for consuming Terraform's structured logging (#539)INTERNAL:
v0.23.1Compare Source
BUG FIXES:
SetEnableLegacyPipeClosing(true)to avoid hanging on cancellation.INTERNAL:
onsi/ginkgo (github.com/onsi/ginkgo/v2)
v2.31.0Compare Source
2.31.0
Add a bunch of Claude Skills via the marketplace:
v2.30.0Compare Source
2.30.0
Features
Ginkgo now allows
extentions/global.Resetto support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.Thanks @lawrencejones !
Fixes
4f62d7a]v2.29.0Compare Source
2.29.0
GinkgoHelperGomakes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.ginkgo outlinenow includes entries defined inDescribeTableSubtreev2.28.3Compare Source
2.28.3
Maintenance
Bump all dependencies
v2.28.2Compare Source
2.28.2
f3a36b6]94151c8]4d21dbb]c102161]9619647]5779304]onsi/gomega (github.com/onsi/gomega)
v1.42.0Compare Source
1.42.0
Add a set of Claude skill as a marketplace plugin
v1.41.0Compare Source
v1.40.0Compare Source
1.40.0
We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your
go.modeven if you are only using Gomega (Gomega uses Ginkgo for its own tests).Going forward, releases will strip out all tests, tidy up the
go.modand then push this stripped down version to a newmaster-litebranch. These stripped-down versions will receive thevx.y.zgit tag and will be picked up by the go toolchain.Please open an issue if this new release process causes unexpected changes for your projects.
operator-framework/api (github.com/operator-framework/api)
v0.44.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.43.0...v0.44.0
v0.43.0Compare Source
What's Changed
New Contributors
Full Changelog: operator-framework/api@v0.42.0...v0.43.0
v0.42.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.41.0...v0.42.0
v0.41.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.40.0...v0.41.0
v0.40.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.39.0...v0.40.0
v0.39.0Compare Source
Potentially Breaking Changes
#469 adds support for k8s 1.35, which necessitates some API changes.
What's Changed
Full Changelog: operator-framework/api@v0.38.0...v0.39.0
v0.38.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.37.0...v0.38.0
v0.37.0Compare Source
Significant Features
What's Changed
Full Changelog: operator-framework/api@v0.36.0...v0.37.0
v0.36.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.35.0...v0.36.0
v0.35.0Compare Source
Notice
This release updates to k8s 1.34
What's Changed
Full Changelog: operator-framework/api@v0.34.0...v0.35.0
v0.34.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.33.0...v0.34.0
v0.33.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.32.0...v0.33.0
v0.32.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.31.0...v0.32.0
v0.31.0Compare Source
What's Changed
Full Changelog: operator-framework/api@v0.30.0...v0.31.0
operator-framework/operator-lifecycle-manager (github.com/operator-framework/operator-lifecycle-manager)
v0.45.0Compare Source
Install
Scripted
Changelog
c79ad06🌱 Bump golang.org/x/sync from 0.20.0 to 0.21.0 (#3846)cd9e051🌱 Bump the k8s-dependencies group across 1 directory with 11 updates (#3827)4b21b9bUpdate operator-registry and api (#3847)Docker images
docker pull quay.io/operator-framework/olm:v0.45Configuration
📅 Schedule: Branch creation - Between 02:00 AM and 04:59 AM, Monday through Friday ( * 2-4 * * 1-5 ) in timezone UTC, Automerge - Between 02:00 AM and 04:59 AM, Monday through Friday ( * 2-4 * * 1-5 ) in timezone UTC.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.