Skip to content

deps(go): bump oras.land/oras-go/v2 to v2.6.1 (AROSLSRE-1456)#6001

Open
raelga wants to merge 1 commit into
Azure:mainfrom
raelga:bump-go-oras-cves
Open

deps(go): bump oras.land/oras-go/v2 to v2.6.1 (AROSLSRE-1456)#6001
raelga wants to merge 1 commit into
Azure:mainfrom
raelga:bump-go-oras-cves

Conversation

@raelga

@raelga raelga commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

AROSLSRE-1456

What

Bump oras.land/oras-go/v2 to v2.6.1 in test, tooling/helmtest, and tooling/templatize (all indirect), regenerated with make all-tidy.

Why

Clears 4 Dependabot advisories: CVE-2026-50151 (high), CVE-2026-50162 (medium), GHSA-vh4v-2xq2-g5cg (medium), CVE-2026-48978 (low).

Note: CVE-2026-50163 (high, GHSA-fxhp-mv3v-67qp) has no patched version (<= 2.6.1) and cannot be fixed by a bump; it is tracked separately for dismissal/justification.

CVEs fixed

CVE-2026-50151, CVE-2026-50162, CVE-2026-48978

Not fixable by this bump (no patched release): CVE-2026-50163 — tracked separately.

Alert search: open Dependabot alerts for oras.land/oras-go/v2

Testing

  • make all-tidy clean; go build ./... passes for the 3 affected modules.

Special notes for your reviewer

Dependency-only change; diff limited to go.mod / go.sum / go.work.sum. Part of AROSLSRE-1448.

PR Checklist

  • PR is scoped to a single task (no mixed concerns)
  • Title follows Conventional Commits format
  • Summary explains the "Why" behind the change
  • Linked to relevant ticket/issue
  • Self-reviewed the diff
  • CI/CD checks are passing (ignore Tide)
  • Commit history is clean (rebased/squashed)

Fixes 4 Dependabot advisories (1 high, 2 medium, 1 low) in test, tooling/helmtest
and tooling/templatize. GHSA-fxhp-mv3v-67qp (CVE-2026-50163) has no patched
release and is tracked separately. make all-tidy + go build ./... pass.
Copilot AI review requested due to automatic review settings July 9, 2026 16:36
@openshift-ci openshift-ci Bot requested review from bennerv and geoberle July 9, 2026 16:36
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: raelga

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the indirect Go dependency oras.land/oras-go/v2 from v2.6.0 to v2.6.1 across the repo’s Go workspace modules that currently pull it in (test, tooling/helmtest, tooling/templatize), primarily to address multiple security advisories.

Changes:

  • Bump oras.land/oras-go/v2 to v2.6.1 (indirect) in the affected module go.mod files.
  • Regenerate corresponding go.sum entries via make all-tidy.

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tooling/templatize/go.mod Updates indirect oras.land/oras-go/v2 requirement to v2.6.1.
tooling/templatize/go.sum Updates oras.land/oras-go/v2 checksum entries for v2.6.1.
tooling/helmtest/go.mod Updates indirect oras.land/oras-go/v2 requirement to v2.6.1.
tooling/helmtest/go.sum Updates oras.land/oras-go/v2 checksum entries for v2.6.1.
test/go.mod Updates indirect oras.land/oras-go/v2 requirement to v2.6.1.
test/go.sum Updates oras.land/oras-go/v2 checksum entries for v2.6.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants