Skip to content

Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.51.0#151

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang.org/x/crypto-0.50.0
Open

Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.51.0#151
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang.org/x/crypto-0.50.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026

Copy link
Copy Markdown

Bumps golang.org/x/crypto from 0.41.0 to 0.51.0.

Commits
  • b8a14a8 go.mod: update golang.org/x dependencies
  • 9d9d507 x509roots/fallback/bundle: fix bundle test with Go 1.27+
  • fd0b90d acme: include Problem in OrderError.Error
  • b9e5359 pbkdf2: turn into a wrapper for crypto/pbkdf2
  • cc0e4fc hkdf: forward Extract to the standard library
  • a8e9237 x509roots/fallback: update bundle
  • 03ca0dc go.mod: update golang.org/x dependencies
  • 8400f4a ssh: respect signer's algorithm preference in pickSignatureAlgorithm
  • 81c6cb3 ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength
  • 982eaa6 go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 28, 2026
@coderabbitai

coderabbitai Bot commented Apr 28, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 33c9a232-6aff-4959-96f4-d6203c27c46c

📥 Commits

Reviewing files that changed from the base of the PR and between 8a7031e and 1df3940.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Summary by CodeRabbit

  • Chores
    • Updated Go toolchain and project dependencies to latest stable versions for improved security and compatibility.

Walkthrough

The go.mod file now declares Go 1.25.0 (was 1.24.7) and updates several golang.org/x/* dependencies: crypto, term, net, sys, text, and tools to newer versions.

Changes

Go Module Manifest

Layer / File(s) Summary
Toolchain directive
go.mod
Updated go directive from 1.24.71.25.0.
Direct dependency
go.mod
Bumped golang.org/x/crypto from v0.41.0v0.51.0.
Indirect dependencies
go.mod
Updated indirect golang.org/x/* modules: term v0.34.0v0.43.0, net v0.43.0v0.53.0, sys v0.35.0v0.44.0, text v0.28.0v0.37.0, tools v0.36.0v0.44.0.
Checksum / vendoring (implicit)
go.mod
go.sum or vendor updates implied by dependency bumps (not shown in diff).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title specifically mentions bumping golang.org/x/crypto, but the changeset also updates the Go version from 1.24.7 to 1.25.0 and upgrades five other golang.org/x modules, making the title incomplete and partially misleading. Update the title to reflect the primary change, e.g., 'Build(deps): Update Go version to 1.25.0 and upgrade dependencies' or make the scope clearer.
✅ Passed checks (4 passed)
Check name Status Explanation
Description check ✅ Passed The description details the golang.org/x/crypto upgrade with commit information, which is directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/golang.org/x/crypto-0.50.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
go.mod (1)

28-28: Re-test crypto/ssh/bcrypt behavior after golang.org/x/crypto bump.

golang.org/x/crypto was upgraded v0.41.0 → v0.50.0 (Line 28). Given the repo’s usage of golang.org/x/crypto/ssh and bcrypt hashing (per the provided context snippets), upstream behavioral changes can surface as subtle auth/handshake or hashing-related regressions.

Request/confirm running:

  • go test ./... (unit tests)
  • any targeted tests covering SSH connection/signing and bcrypt-based flows
  • ideally go test ./... -race if the project runs race in CI
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 28, The dependency golang.org/x/crypto was bumped to v0.50.0
which may change behavior in crypto/ssh and bcrypt flows; re-run the full test
suite and targeted tests to confirm no regressions by executing `go test ./...`
and `go test ./... -race`, plus run any specific tests covering ssh
connection/handshake and bcrypt hashing (look for usages of
golang.org/x/crypto/ssh and golang.org/x/crypto/bcrypt in the codebase such as
functions/methods that perform SSH client/server handshakes or call
bcrypt.GenerateFromPassword/CompareHashAndPassword), capture failures, and if
any tests fail, bisect the change by temporarily reverting to v0.41.0 to
pinpoint behavioral differences and update code (or add compatibility
shims/tests) to accommodate API/behavioral changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: go.mod now sets "go 1.25.0" but the GitHub Actions workflows still pin
Go to 1.24.7; open the workflow files referenced
(.github/workflows/publish-release.yml and
.github/workflows/check-pull-request.yml) and update the go-version entries
(keys named "go-version") from '1.24.7' to '1.25.0' (or a later compatible
version) so CI uses the same Go version as the module; keep the key name
"go-version" intact and update all occurrences noted in the review.

---

Nitpick comments:
In `@go.mod`:
- Line 28: The dependency golang.org/x/crypto was bumped to v0.50.0 which may
change behavior in crypto/ssh and bcrypt flows; re-run the full test suite and
targeted tests to confirm no regressions by executing `go test ./...` and `go
test ./... -race`, plus run any specific tests covering ssh connection/handshake
and bcrypt hashing (look for usages of golang.org/x/crypto/ssh and
golang.org/x/crypto/bcrypt in the codebase such as functions/methods that
perform SSH client/server handshakes or call
bcrypt.GenerateFromPassword/CompareHashAndPassword), capture failures, and if
any tests fail, bisect the change by temporarily reverting to v0.41.0 to
pinpoint behavioral differences and update code (or add compatibility
shims/tests) to accommodate API/behavioral changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6a999e6b-8d67-477c-8be5-ea9dab26f684

📥 Commits

Reviewing files that changed from the base of the PR and between 6202709 and 8a7031e.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
module github.com/openshift-online/ocm-common

go 1.24.7
go 1.25.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: check what Go versions CI/build workflows use, and whether go.sum is updated.

set -euo pipefail

echo "== CI: find Go toolchain versions =="
# Look for common workflow/build config locations (adjust if your repo differs)
rg -n --hidden --glob '!.git' \
  'go-version:|setup-go|GOTOOLCHAIN|toolchain go|GO_VERSION' . || true

echo "== go.sum present? =="
ls -la go.sum || true

echo "== go.mod parsing sanity (requires Go binary) =="
if command -v go >/dev/null 2>&1; then
  go version
  go mod edit -json >/dev/null
  go mod tidy -n >/dev/null || true
else
  echo "No 'go' binary in this environment; skip go mod edit/tidy checks."
fi

Repository: openshift-online/ocm-common

Length of output: 895


Update CI workflows to match go 1.25.0 requirement.

The go directive in go.mod is now 1.25.0, but CI workflows are still pinned to Go 1.24.7:

  • .github/workflows/publish-release.yml:25 specifies go-version: '1.24.7'
  • .github/workflows/check-pull-request.yml:45 and 71 specify go-version: '1.24.7'

Update both workflows to use go-version: '1.25.0' (or later) to match the module requirement, otherwise CI builds will fail.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, go.mod now sets "go 1.25.0" but the GitHub Actions
workflows still pin Go to 1.24.7; open the workflow files referenced
(.github/workflows/publish-release.yml and
.github/workflows/check-pull-request.yml) and update the go-version entries
(keys named "go-version") from '1.24.7' to '1.25.0' (or a later compatible
version) so CI uses the same Go version as the module; keep the key name
"go-version" intact and update all occurrences noted in the review.

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.51.0.
- [Commits](golang/crypto@v0.41.0...v0.51.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.50.0 Build(deps): Bump golang.org/x/crypto from 0.41.0 to 0.51.0 May 11, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang.org/x/crypto-0.50.0 branch from 8a7031e to 1df3940 Compare May 11, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants