[master] ACM-35865: CVE-2026-39828 Bump golang.org/x/crypto to v0.52.0 using replace directive (client module)#10659
Conversation
…eplace directive
|
@shay23bra: This pull request references ACM-35865 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (1)
WalkthroughThe client Go module adds a ChangesCrypto dependency configuration
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related issues
Possibly related PRs
Suggested labels: 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shay23bra The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #10659 +/- ##
==========================================
- Coverage 44.47% 44.47% -0.01%
==========================================
Files 423 423
Lines 73327 73327
==========================================
- Hits 32615 32614 -1
Misses 37802 37802
- Partials 2910 2911 +1 🚀 New features to boost your workflow:
|
|
Closing as duplicate — the same golang.org/x/crypto bump is already covered by an existing PR on this branch. |
Bump
golang.org/x/cryptotov0.52.0to fixCVE-2026-39828using a replace directiveStrategy Selection
Strategies Not Applicable
Direct dependency version bump
Not applicable: dependency is indirect. Direct version bumps only work for explicitly required modules.
Direct dependency major version upgrade
Not applicable: dependency is indirect. Major version upgrades only apply to direct dependencies.
Indirect dependency fix via parent update
Exception: unhandled errors in a TaskGroup (1 sub-exception)
Indirect to direct dependency conversion
Attempted to pin golang.org/x/crypto to a fixed version, but Go reverted it to indirect at v0.0.0-20220622213112-05595931fe9d. No other module requires this version directly, so the explicit requirement was automatically removed by Go's module resolution.
✓ Successful Strategy: Replace directive workaround
Added replace directive to override module resolution. Used as last resort when standard updates fail.
https://redhat.atlassian.net/browse/ACM-35865
This PR was automatically generated by the CVE Automation tool.
For questions or issues, reach out in #cve-automation.
Summary by CodeRabbit