deps(go): bump golang.org/x/crypto to v0.52.0 (AROSLSRE-1455)#6000
deps(go): bump golang.org/x/crypto to v0.52.0 (AROSLSRE-1455)#6000raelga wants to merge 2 commits into
Conversation
Fixes 13 advisories (7 critical, 2 high, 4 medium) reported by Dependabot across 23 workspace modules. Ran make all-tidy (go mod tidy per module + go work sync + fmt + licenses); go build ./... passes for all affected modules.
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Go workspace modules to use golang.org/x/crypto v0.52.0, addressing multiple security advisories while keeping the change scoped to dependency metadata (go.mod/go.sum).
Changes:
- Bump
golang.org/x/cryptofromv0.51.0→v0.52.0across the affected workspace modules. - Refresh module checksum files (
go.sum) to match the updated dependency graph. - Add/update indirect requirements where needed to reflect the new resolved version.
Reviewed changes
Copilot reviewed 23 out of 46 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tooling/tenant-quota/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/tenant-quota/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/templatize/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/templatize/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/secret-sync/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/secret-sync/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/prometheus-rules/go.mod | Add/update golang.org/x/crypto v0.52.0 (indirect). |
| tooling/prometheus-rules/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/kustoctl/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/kustoctl/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/image-updater/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/image-updater/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/helmtest/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/helmtest/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/hcpctl/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/hcpctl/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/grafanactl/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/grafanactl/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/cleanup-sweeper/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/cleanup-sweeper/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| tooling/aro-hcp-exporter/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| tooling/aro-hcp-exporter/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| test/go.mod | Bump direct golang.org/x/crypto dependency to v0.52.0. |
| test/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| test-integration/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| test-integration/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| sessiongate/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| sessiongate/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| mgmt-agent/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| mgmt-agent/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| kube-applier/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| kube-applier/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| internal/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| internal/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| frontend/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| frontend/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| fleet/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| fleet/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| dev-infrastructure/scripts/postgres-access/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| dev-infrastructure/scripts/postgres-access/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| backend/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| backend/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| admin/server/go.mod | Bump golang.org/x/crypto to v0.52.0 (indirect). |
| admin/server/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
| admin/client/go.mod | Bump direct golang.org/x/crypto dependency to v0.52.0. |
| admin/client/go.sum | Update checksums for golang.org/x/crypto v0.52.0. |
|
Pushed Failure: the job showed Fix: |
|
/test periodic-healthcheck-images Retesting: this is an environmental/network flake, not caused by this PR. The That's a DNS-resolution failure inside the build sandbox ( |
avollmer-redhat
left a comment
There was a problem hiding this comment.
/lgtm
Dep-only change: golang.org/x/crypto v0.51.0 → v0.52.0 across all 23 workspace modules. Fixes 13 CVEs (286 Dependabot alerts). go.mod/go.sum only, no source changes. e2e-parallel failure is unrelated to a transitive crypto bump.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: avollmer-redhat, raelga The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@raelga: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/hold Revision bd8ae13 was retested 3 times: holding |
AROSLSRE-1455
What
Bump
golang.org/x/cryptofromv0.51.0tov0.52.0across all 23 affected workspace modules (2 direct importers, the rest indirect), regenerated withmake all-tidy.Why
Resolves 286 open Dependabot alerts — by far the largest single source of open alerts on the repo (the other ~22 open alerts are unrelated packages). These stem from 13 distinct
golang.org/x/cryptoadvisories (7 critical, 2 high, 4 medium) fanned out across the 23 affected workspace modules. Highlights: auth bypass via unenforced@revokedstatus (CVE-2026-42508), agent constraint / key-constraint bypasses (CVE-2026-39832/39833), and several SSH server DoS issues.CVEs fixed
CVE-2026-42508, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39830, CVE-2026-46595, CVE-2026-46597, CVE-2026-39829, CVE-2026-39828, CVE-2026-39835, CVE-2026-46598, CVE-2026-39827
Alert search: open Dependabot alerts for
golang.org/x/cryptoTesting
make all-tidy(per-modulego mod tidy+go work sync+ fmt + licenses) — clean.go build ./...passes for all 23 affected modules.Special notes for your reviewer
Dependency-only change; diff is limited to
go.mod/go.sum/go.work.sum. No source edits. Part of the go.work-aware Dependabot remediation effort (AROSLSRE-1448).Closes #5964
Closes #5965
PR Checklist