Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.40.0#153
Build(deps): Bump github.com/onsi/gomega from 1.30.0 to 1.40.0#153dependabot[bot] wants to merge 1 commit into
Conversation
WalkthroughUpdated module dependencies in ChangesDependency Version Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Around line 92-95: The go.mod currently pins github.com/golang/glog to v1.2.0
which is vulnerable; update that dependency to v1.2.4 (or later) by replacing
the line "github.com/golang/glog v1.2.0" with "github.com/golang/glog v1.2.4"
(or run `go get github.com/golang/glog@v1.2.4`) and then run `go mod tidy` to
refresh the module graph; verify builds and tests to ensure no regressions after
updating the glog dependency.
- Around line 73-77: Update the vulnerable dependency golang.org/x/oauth2
(currently listed as golang.org/x/oauth2 v0.19.0) to v0.27.0 or later in go.mod;
change the version spec to the new version, run go get
golang.org/x/oauth2@v0.27.0 (or go get golang.org/x/oauth2@latest) and then run
go mod tidy to refresh go.sum, and finally run your test/build to ensure
compatibility with the updated module.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 44004663-7a4c-4861-a123-e161a15adee7
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| golang.org/x/mod v0.32.0 // indirect | ||
| golang.org/x/oauth2 v0.19.0 // indirect | ||
| golang.org/x/term v0.34.0 // indirect | ||
| google.golang.org/protobuf v1.34.0 // indirect | ||
| golang.org/x/sync v0.19.0 // indirect | ||
| golang.org/x/term v0.39.0 // indirect | ||
| google.golang.org/protobuf v1.36.7 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify known vulnerabilities and fixed versions for golang.org/x/oauth2
curl -s https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"ecosystem":"Go","name":"golang.org/x/oauth2"},"version":"0.19.0"}' | jq .Repository: openshift-online/ocm-common
Length of output: 4067
Upgrade vulnerable golang.org/x/oauth2 from v0.19.0 to v0.27.0 or later.
golang.org/x/oauth2 v0.19.0 contains a HIGH-severity vulnerability (CVE-2025-22868) that allows malformed tokens to cause unexpected memory consumption. Upgrade to v0.27.0 or later to patch this issue.
🧰 Tools
🪛 OSV Scanner (2.3.5)
[HIGH] 74-74: golang.org/x/oauth2 0.19.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2
(GO-2025-3488)
[HIGH] 74-74: golang.org/x/oauth2 0.19.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` around lines 73 - 77, Update the vulnerable dependency
golang.org/x/oauth2 (currently listed as golang.org/x/oauth2 v0.19.0) to v0.27.0
or later in go.mod; change the version spec to the new version, run go get
golang.org/x/oauth2@v0.27.0 (or go get golang.org/x/oauth2@latest) and then run
go mod tidy to refresh go.sum, and finally run your test/build to ensure
compatibility with the updated module.
| github.com/go-logr/logr v1.4.3 // indirect | ||
| github.com/golang/glog v1.2.0 | ||
| github.com/google/go-cmp v0.6.0 // indirect | ||
| github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect | ||
| github.com/google/go-cmp v0.7.0 // indirect | ||
| github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify known vulnerabilities and fixed versions for github.com/golang/glog
curl -s https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"ecosystem":"Go","name":"github.com/golang/glog"},"version":"1.2.0"}' | jq .Repository: openshift-online/ocm-common
Length of output: 7695
Upgrade github.com/golang/glog to v1.2.4 or later.
github.com/golang/glog v1.2.0 contains CVE-2024-45339 (GHSA-6wxm-mpqj-6jpf), an insecure temporary file vulnerability that allows unprivileged attackers to predict log file paths and pre-create symlinks to sensitive files, leading to file overwrite. This is fixed in v1.2.4.
🧰 Tools
🪛 OSV Scanner (2.3.5)
[HIGH] 93-93: github.com/golang/glog 1.2.0: Vulnerability when creating log files in github.com/golang/glog
(GO-2025-3372)
[HIGH] 93-93: github.com/golang/glog 1.2.0: Insecure Temporary File usage in github.com/golang/glog
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` around lines 92 - 95, The go.mod currently pins
github.com/golang/glog to v1.2.0 which is vulnerable; update that dependency to
v1.2.4 (or later) by replacing the line "github.com/golang/glog v1.2.0" with
"github.com/golang/glog v1.2.4" (or run `go get github.com/golang/glog@v1.2.4`)
and then run `go mod tidy` to refresh the module graph; verify builds and tests
to ensure no regressions after updating the glog dependency.
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.40.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.30.0...v1.40.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
8163548 to
7ea1dcc
Compare
Bumps github.com/onsi/gomega from 1.30.0 to 1.40.0.
Release notes
Sourced from github.com/onsi/gomega's releases.
... (truncated)
Changelog
Sourced from github.com/onsi/gomega's changelog.
... (truncated)
Commits
87ee9d3v1.40.0ea66027v1.40.0 (full)e3fd789update docs to reflect new versioning strategy7d4ee30first push to master-litee4a82d1Bump github/codeql-action from 3 to 4 (#875)af62723Bump rexml from 3.4.0 to 3.4.2 in /docs (#870)e164221Bump github.com/onsi/ginkgo/v2 from 2.28.0 to 2.28.1 (#895)334a282Bump faraday from 2.12.2 to 2.14.1 in /docs (#896)1a25a36v1.39.1406faeebump all deps