bump go version to fix https://pkg.go.dev/vuln/GO-2025-3956 #1820
Conversation
|
Hi @ErickRDS. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-ci
bot
added
the
needs-ok-to-test
|
I think that probably we'd need to update o-f/api and after we get a new release, I can rebase my branch. |
|
This is updating the repo to |
| @@ -1,6 +1,6 @@ | |||
| module github.com/operator-framework/operator-registry | |||
|
|
|||
| go 1.24.4 | |||
There was a problem hiding this comment.
The comment says things are fixed at 1.24.4, which this repo already uses. So why the update to 1.24.6?
There was a problem hiding this comment.
oh, my bad. I adjusted the description of the PR.
|
True. I just copied the description of an old PR that I raised and forgot to change the go version in the description. My bad. |
|
I'm bumping to 1.24.6 to be a simple bump to fix the CVE, but if you guys prefer, we can bump to 1.24.9, to avoid another PRs to bump Go version any time soon. |
|
Thanks for the PR @ErickRDS! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1820 +/- ##
==========================================
+ Coverage 55.37% 57.49% +2.12%
==========================================
Files 136 136
Lines 16003 12934 -3069
==========================================
- Hits 8861 7437 -1424
+ Misses 5987 4342 -1645
Partials 1155 1155 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
tmshort
added
ok-to-test
|
/lgtm |
|
Will need to bump go in o-f/api and cut a release there, then update op-reg here to use it. If @ErickRDS is up to it, it would be best to do it in this PR. Otherwise, we can merge that first and then rebase this PR to pick it up. |
|
api PR: operator-framework/api#455 |
|
Merged that PR in api, and cut a new v0.36.0 api release. Please let us know if you can update this PR to bump that version as well, or if you'd prefer that we did and you rebase to pick up. |
|
Sure, I can do that |
|
In case you prefer only one commit, please let me know. |
|
/lgtm This repo will squash the commits, so no worries. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: grokspawn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-bot
bot
merged commit d0d9159
into
operator-framework:master
3 participants
Description of the change:
Update the go directive in go.mod from 1.24.4 to 1.24.6 to address CVE-2025-47906 (GO-2025-3956) in os/exec (LookPath PATH handling).
Motivation for the change:
Internal security scanners flagged this repository for CVE-2025-47906. The Go team fixed this issue in Go 1.24.6 (and 1.23.12). Bumping to 1.24.6 ensures compliance and mitigates the vulnerability.
Closes #1802
Reviewer Checklist
/docs