Skip to content

[release-v0.42.2] chore(deps): bump tektoncd/pipeline to v1.9.3 #2722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
theakshaypant merged 1 commit into from
May 14, 2026
Merged

[release-v0.42.2] chore(deps): bump tektoncd/pipeline to v1.9.3 #2722

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ require (
github.com/pkg/errors v0.9.1
github.com/spf13/cobra v1.10.2
github.com/stretchr/testify v1.11.1
github.com/tektoncd/pipeline v1.9.2
github.com/tektoncd/pipeline v1.9.3
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

It appears that go mod tidy was not run after updating the tektoncd/pipeline dependency. The go.mod file contains fragmented require blocks (e.g., lines 5, 49, and 83), and the go.sum file lacks updates for any indirect dependencies that may have changed with the new version. Please run go mod tidy to ensure the module files are consistent and correctly formatted.

Copy link
Copy Markdown
Member Author

@theakshaypant theakshaypant May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go mod tidy and make vendor was run before committing.
image

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The PR description mentions path traversal hardening for volume mount validation using filepath.Clean, but the current diff only contains a dependency bump. Please confirm if the updated dependency version resolves the security issue or if the intended code changes are missing. It is important to investigate if the issue is resolved by the dependency update itself before making further code changes.

References
  1. Confirm dependency versions and investigate if security issues are resolved by the dependency update before making further code changes to avoid redundant work or false positives.

Copy link
Copy Markdown
Member Author

@theakshaypant theakshaypant May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CVE is linked in the commit message along with the fix being present in pipeline:v1.9.3

gitlab.com/gitlab-org/api/client-go v1.14.0
go.opencensus.io v0.24.0
go.uber.org/zap v1.27.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -482,8 +482,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
github.com/tektoncd/pipeline v1.9.2 h1:uKEt6CGLmkeKLdKIZnel0gn8lfQ1P7+398yystdBuHU=
github.com/tektoncd/pipeline v1.9.2/go.mod h1:PTlIZ4Mhr8HZDx404O7spJtafiynetTMedCsXStjtHk=
github.com/tektoncd/pipeline v1.9.3 h1:7Z+V2VX5wjz9LoNa16E1RbgH9mpYy5B1KnAMm3H0czc=
github.com/tektoncd/pipeline v1.9.3/go.mod h1:pEruzPp4JM8JK8Nnnih46IPgdtxRPot/i9pUZo8lA9I=
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
Expand Down
6 changes: 4 additions & 2 deletions vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions vendor/modules.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,8 +399,8 @@ github.com/spf13/pflag
## explicit; go 1.17
github.com/stretchr/testify/assert
github.com/stretchr/testify/assert/yaml
# github.com/tektoncd/pipeline v1.9.2
## explicit; go 1.24.0
# github.com/tektoncd/pipeline v1.9.3
## explicit; go 1.24.13
github.com/tektoncd/pipeline/internal/artifactref
github.com/tektoncd/pipeline/pkg/apis/config
github.com/tektoncd/pipeline/pkg/apis/pipeline
Expand Down
Loading