Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.51.0#151
Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.51.0#151dependabot[bot] wants to merge 1 commit into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughThe ChangesGo Module Manifest
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
go.mod (1)
28-28: Re-test crypto/ssh/bcrypt behavior aftergolang.org/x/cryptobump.
golang.org/x/cryptowas upgraded v0.41.0 → v0.50.0 (Line 28). Given the repo’s usage ofgolang.org/x/crypto/sshand bcrypt hashing (per the provided context snippets), upstream behavioral changes can surface as subtle auth/handshake or hashing-related regressions.Request/confirm running:
go test ./...(unit tests)- any targeted tests covering SSH connection/signing and bcrypt-based flows
- ideally
go test ./... -raceif the project runs race in CI🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 28, The dependency golang.org/x/crypto was bumped to v0.50.0 which may change behavior in crypto/ssh and bcrypt flows; re-run the full test suite and targeted tests to confirm no regressions by executing `go test ./...` and `go test ./... -race`, plus run any specific tests covering ssh connection/handshake and bcrypt hashing (look for usages of golang.org/x/crypto/ssh and golang.org/x/crypto/bcrypt in the codebase such as functions/methods that perform SSH client/server handshakes or call bcrypt.GenerateFromPassword/CompareHashAndPassword), capture failures, and if any tests fail, bisect the change by temporarily reverting to v0.41.0 to pinpoint behavioral differences and update code (or add compatibility shims/tests) to accommodate API/behavioral changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Line 3: go.mod now sets "go 1.25.0" but the GitHub Actions workflows still pin
Go to 1.24.7; open the workflow files referenced
(.github/workflows/publish-release.yml and
.github/workflows/check-pull-request.yml) and update the go-version entries
(keys named "go-version") from '1.24.7' to '1.25.0' (or a later compatible
version) so CI uses the same Go version as the module; keep the key name
"go-version" intact and update all occurrences noted in the review.
---
Nitpick comments:
In `@go.mod`:
- Line 28: The dependency golang.org/x/crypto was bumped to v0.50.0 which may
change behavior in crypto/ssh and bcrypt flows; re-run the full test suite and
targeted tests to confirm no regressions by executing `go test ./...` and `go
test ./... -race`, plus run any specific tests covering ssh connection/handshake
and bcrypt hashing (look for usages of golang.org/x/crypto/ssh and
golang.org/x/crypto/bcrypt in the codebase such as functions/methods that
perform SSH client/server handshakes or call
bcrypt.GenerateFromPassword/CompareHashAndPassword), capture failures, and if
any tests fail, bisect the change by temporarily reverting to v0.41.0 to
pinpoint behavioral differences and update code (or add compatibility
shims/tests) to accommodate API/behavioral changes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 6a999e6b-8d67-477c-8be5-ea9dab26f684
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| module github.com/openshift-online/ocm-common | ||
|
|
||
| go 1.24.7 | ||
| go 1.25.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Read-only verification: check what Go versions CI/build workflows use, and whether go.sum is updated.
set -euo pipefail
echo "== CI: find Go toolchain versions =="
# Look for common workflow/build config locations (adjust if your repo differs)
rg -n --hidden --glob '!.git' \
'go-version:|setup-go|GOTOOLCHAIN|toolchain go|GO_VERSION' . || true
echo "== go.sum present? =="
ls -la go.sum || true
echo "== go.mod parsing sanity (requires Go binary) =="
if command -v go >/dev/null 2>&1; then
go version
go mod edit -json >/dev/null
go mod tidy -n >/dev/null || true
else
echo "No 'go' binary in this environment; skip go mod edit/tidy checks."
fiRepository: openshift-online/ocm-common
Length of output: 895
Update CI workflows to match go 1.25.0 requirement.
The go directive in go.mod is now 1.25.0, but CI workflows are still pinned to Go 1.24.7:
.github/workflows/publish-release.yml:25specifiesgo-version: '1.24.7'.github/workflows/check-pull-request.yml:45and71specifygo-version: '1.24.7'
Update both workflows to use go-version: '1.25.0' (or later) to match the module requirement, otherwise CI builds will fail.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` at line 3, go.mod now sets "go 1.25.0" but the GitHub Actions
workflows still pin Go to 1.24.7; open the workflow files referenced
(.github/workflows/publish-release.yml and
.github/workflows/check-pull-request.yml) and update the go-version entries
(keys named "go-version") from '1.24.7' to '1.25.0' (or a later compatible
version) so CI uses the same Go version as the module; keep the key name
"go-version" intact and update all occurrences noted in the review.
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.51.0. - [Commits](golang/crypto@v0.41.0...v0.51.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
8a7031e to
1df3940
Compare
Bumps golang.org/x/crypto from 0.41.0 to 0.51.0.
Commits
b8a14a8go.mod: update golang.org/x dependencies9d9d507x509roots/fallback/bundle: fix bundle test with Go 1.27+fd0b90dacme: include Problem in OrderError.Errorb9e5359pbkdf2: turn into a wrapper for crypto/pbkdf2cc0e4fchkdf: forward Extract to the standard librarya8e9237x509roots/fallback: update bundle03ca0dcgo.mod: update golang.org/x dependencies8400f4assh: respect signer's algorithm preference in pickSignatureAlgorithm81c6cb3ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength982eaa6go.mod: update golang.org/x dependencies