deps(go): bump oras.land/oras-go/v2 to v2.6.1 (AROSLSRE-1456)#6001
Open
raelga wants to merge 1 commit into
Open
deps(go): bump oras.land/oras-go/v2 to v2.6.1 (AROSLSRE-1456)#6001raelga wants to merge 1 commit into
raelga wants to merge 1 commit into
Conversation
Fixes 4 Dependabot advisories (1 high, 2 medium, 1 low) in test, tooling/helmtest and tooling/templatize. GHSA-fxhp-mv3v-67qp (CVE-2026-50163) has no patched release and is tracked separately. make all-tidy + go build ./... pass.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: raelga The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the indirect Go dependency oras.land/oras-go/v2 from v2.6.0 to v2.6.1 across the repo’s Go workspace modules that currently pull it in (test, tooling/helmtest, tooling/templatize), primarily to address multiple security advisories.
Changes:
- Bump
oras.land/oras-go/v2tov2.6.1(indirect) in the affected modulego.modfiles. - Regenerate corresponding
go.sumentries viamake all-tidy.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tooling/templatize/go.mod | Updates indirect oras.land/oras-go/v2 requirement to v2.6.1. |
| tooling/templatize/go.sum | Updates oras.land/oras-go/v2 checksum entries for v2.6.1. |
| tooling/helmtest/go.mod | Updates indirect oras.land/oras-go/v2 requirement to v2.6.1. |
| tooling/helmtest/go.sum | Updates oras.land/oras-go/v2 checksum entries for v2.6.1. |
| test/go.mod | Updates indirect oras.land/oras-go/v2 requirement to v2.6.1. |
| test/go.sum | Updates oras.land/oras-go/v2 checksum entries for v2.6.1. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AROSLSRE-1456
What
Bump
oras.land/oras-go/v2tov2.6.1intest,tooling/helmtest, andtooling/templatize(all indirect), regenerated withmake all-tidy.Why
Clears 4 Dependabot advisories: CVE-2026-50151 (high), CVE-2026-50162 (medium), GHSA-vh4v-2xq2-g5cg (medium), CVE-2026-48978 (low).
Note: CVE-2026-50163 (high, GHSA-fxhp-mv3v-67qp) has no patched version (
<= 2.6.1) and cannot be fixed by a bump; it is tracked separately for dismissal/justification.CVEs fixed
CVE-2026-50151, CVE-2026-50162, CVE-2026-48978
Not fixable by this bump (no patched release): CVE-2026-50163 — tracked separately.
Alert search: open Dependabot alerts for
oras.land/oras-go/v2Testing
make all-tidyclean;go build ./...passes for the 3 affected modules.Special notes for your reviewer
Dependency-only change; diff limited to
go.mod/go.sum/go.work.sum. Part of AROSLSRE-1448.PR Checklist