Skip to content

chore(deps): upgrade vulnerable dependencies and fix MySQL reserved-word query#2601

Merged
yangkaa merged 2 commits into
goodrain:staging/console-optimizefrom
yangkaa:chore/security-dep-upgrades
Jun 13, 2026
Merged

chore(deps): upgrade vulnerable dependencies and fix MySQL reserved-word query#2601
yangkaa merged 2 commits into
goodrain:staging/console-optimizefrom
yangkaa:chore/security-dep-upgrades

Conversation

@yangkaa

@yangkaa yangkaa commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

1. Security dependency upgrades (govulncheck-driven)

govulncheck ./... reported 34 reachable vulnerabilities. This PR upgrades the 7 low-risk modules that resolve 20+ of them:

Module From To Notable fixes
golang.org/x/crypto v0.49.0 v0.52.0 SSH auth bypass (GO-2026-5021), server panic, DoS
golang.org/x/net v0.52.0 v0.55.0 HTTP/2 infinite loop (GO-2026-4918)
github.com/go-git/go-git/v5 v5.16.0 v5.17.1 malicious repo memory exhaustion / panic
helm.sh/helm/v3 v3.16.0 v3.18.5 chart code injection (GO-2025-3802), OOM
github.com/moby/spdystream v0.4.0 v0.5.1 SPDY frame resource exhaustion
github.com/compose-spec/compose-go/v2 v2.1.0 v2.4.1 compose file resource exhaustion
github.com/cloudflare/circl v1.6.1 v1.6.3 secp384r1 CombinedMult miscalculation

go-git and helm directly process user-controlled input (source builds, helm app installs), so these are real exposure paths. k8s.io modules remain pinned to v0.31.0 via existing replace directives; helm v3.18.5 compiles cleanly against them.

2. Fix MySQL 8 reserved-word error in CNB version retirement

retireMissingSystemCNBVersions used an unquoted system column in its where clause. system is a reserved word since MySQL 8.0.3, so every startup language-version sync logged:

Error 1064 (42000): ... near 'system = ?'

The clause is now built via scope.Quote, matching the existing deduplication order clauses. Covered by a managed regression test (rainbond.db.retire_system_cnb_where_quotes_reserved_column).

Test plan

  • go build ./... / go vet ./... clean
  • go test ./db/mysql/... and builder package tests pass
  • test manifest validation passes
  • Deployed rbd-api / rbd-chaos / rbd-worker images with the dependency upgrades to a live Rainbond cluster: all components Running with no errors, /v2/health healthy
  • Live verification: rbd-api/chaos/worker images built from this branch deployed to a live Rainbond cluster — MySQL 1064 error gone ("successfully updated language versions"), all components Running, /v2/health healthy

@yangkaa yangkaa changed the base branch from v6.9.1-dev to staging/console-optimize June 13, 2026 00:05
yangkaa added 2 commits June 13, 2026 08:06
@yangkaa
chore(deps): upgrade vulnerable dependencies flagged by govulncheck
7e96909 
Upgrade x/crypto v0.49.0->v0.52.0, x/net v0.52.0->v0.55.0,
go-git/v5 v5.16.0->v5.17.1, helm/v3 v3.16.0->v3.18.5,
moby/spdystream v0.4.0->v0.5.1, compose-go/v2 v2.1.0->v2.4.1,
cloudflare/circl v1.6.1->v1.6.3.

Fixes 20+ reachable vulnerabilities including SSH auth bypass,
malicious git repository memory exhaustion, and helm chart code
injection. k8s.io modules remain pinned to v0.31.0 via replace.
@yangkaa
fix(db): quote reserved system column in CNB version retirement query
c3d9978 
MySQL 8 treats system as a reserved word, so the unquoted column in
retireMissingSystemCNBVersions raised error 1064 on every startup
language-version sync. Build the where clause via scope.Quote like the
existing deduplication order clauses.
@yangkaa yangkaa force-pushed the chore/security-dep-upgrades branch from e6fe64f to c3d9978 Compare June 13, 2026 00:08
@yangkaa yangkaa merged commit 6e0199f into goodrain:staging/console-optimize Jun 13, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yangkaa