chore(deps): bump k8s.io/client-go from 0.34.1 to 0.36.1 in the k8s-libs group across 1 directory#122
Conversation
dependabot
Bot
added
dependencies
|
|
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
3 times, most recently
from
49a9fde to
a06a539
Compare
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
a06a539 to
30a289b
Compare
|
|
@dependabot rebase |
|
Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
30a289b to
3018563
Compare
|
@dependabot rebase |
|
Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
3018563 to
1e6b8c5
Compare
|
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
1e6b8c5 to
f111eed
Compare
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
2 times, most recently
from
005d52e to
247bccb
Compare
|
@dependabot rebase |
|
Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request |
|
@dependabot recreate |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
247bccb to
269244d
Compare
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
269244d to
25b70f2
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
25b70f2 to
a8a17ee
Compare
|
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
a8a17ee to
75bdafa
Compare
|
❌ The last analysis has failed. |
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
75bdafa to
db56b24
Compare
ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughGo toolchain version is updated to 1.26.0. Direct dependencies ChangesDependency Upgrades
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Bumps the k8s-libs group with 1 update in the / directory: [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `k8s.io/client-go` from 0.34.1 to 0.36.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.34.1...v0.36.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-libs ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/go_modules/k8s-libs-8bc36da83b
branch
from
db56b24 to
c64a8ca
Compare
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 162: The go.mod contains pseudo-versions with future timestamps (e.g.,
google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af) which breaks
reproducibility; fix by ensuring your system clock is correct, clearing the
module cache (go clean -modcache), re-resolving dependencies (go mod tidy / go
get ./...), and confirming the pseudo-versions are replaced with valid released
tags; if future-dated pseudo-versions persist for google.golang.org/protobuf or
the other entries referenced, explicitly pin those modules to a known-good
released tag or add a replace directive to a vetted commit/tag before committing
the updated go.mod and go.sum.
- Line 122: go.mod currently pins the vulnerable indirect module
github.com/quic-go/quic-go v0.54.0 (pulled via github.com/quic-go/quic-go/http3
used by github.com/gin-gonic/gin and kubeservice metrics); update the dependency
to a patched release (e.g., v0.58.x–v0.60.0) by running go get
github.com/quic-go/quic-go@v0.60.0 (or the latest safe tag), then run go mod
tidy and rebuild to ensure the http3 consumer path
(github.com/quic-go/quic-go/http3) is updated and the indirect entry in go.mod
reflects the new version; verify with go mod graph or go list -m all and
add/update any transitive constraints if needed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 15cf1457-3738-4a9d-a6a3-a91b61b3bbd9
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 162: The go.mod contains pseudo-versions with future timestamps (e.g.,
google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af) which breaks
reproducibility; fix by ensuring your system clock is correct, clearing the
module cache (go clean -modcache), re-resolving dependencies (go mod tidy / go
get ./...), and confirming the pseudo-versions are replaced with valid released
tags; if future-dated pseudo-versions persist for google.golang.org/protobuf or
the other entries referenced, explicitly pin those modules to a known-good
released tag or add a replace directive to a vetted commit/tag before committing
the updated go.mod and go.sum.
- Line 122: go.mod currently pins the vulnerable indirect module
github.com/quic-go/quic-go v0.54.0 (pulled via github.com/quic-go/quic-go/http3
used by github.com/gin-gonic/gin and kubeservice metrics); update the dependency
to a patched release (e.g., v0.58.x–v0.60.0) by running go get
github.com/quic-go/quic-go@v0.60.0 (or the latest safe tag), then run go mod
tidy and rebuild to ensure the http3 consumer path
(github.com/quic-go/quic-go/http3) is updated and the indirect entry in go.mod
reflects the new version; verify with go mod graph or go list -m all and
add/update any transitive constraints if needed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 15cf1457-3738-4a9d-a6a3-a91b61b3bbd9
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
🛑 Comments failed to post (2)
go.mod (2)
122-122:
⚠️ Potential issue | 🟠 Major🧩 Analysis chain
🏁 Script executed:
#!/bin/bash # Identify which direct dependency requires quic-go go mod why github.com/quic-go/quic-go # Check for newer versions with fixes go list -m -versions github.com/quic-go/quic-go | tr ' ' '\n' | tail -5Repository: kubeservice-stack/common
Length of output: 4932
Address HIGH severity vulnerabilities in github.com/quic-go/quic-go v0.54.0 (indirect).
go.modpinsgithub.com/quic-go/quic-go v0.54.0as// indirect.go mod whyshows it’s pulled in viagithub.com/quic-go/quic-go/http3, which is required bygithub.com/gin-gonic/gin(andgithub.com/kubeservice-stack/common/pkg/metrics). Static analysis flags HIGH issues in this version (panic/HTTP-3 QPACK expansion DoS / memory exhaustion), so upgradegithub.com/quic-go/quic-goto a patched release (newer versions exist, e.g., v0.58.x–v0.60.0) and ensure thehttp3dependency path updates accordingly.🧰 Tools
🪛 OSV Scanner (2.3.8)
[HIGH] 122-122: github.com/quic-go/quic-go 0.54.0: Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go
(GO-2025-4017)
[HIGH] 122-122: github.com/quic-go/quic-go 0.54.0: HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
(GO-2025-4233)
[HIGH] 122-122: github.com/quic-go/quic-go 0.54.0: quic-go: Panic occurs when queuing undecryptable packets after handshake completion
(GHSA-47m2-4cr7-mhcw)
[HIGH] 122-122: github.com/quic-go/quic-go 0.54.0: quic-go HTTP/3 QPACK Header Expansion DoS
(GHSA-g754-hx8w-x2g6)
[HIGH] 122-122: github.com/quic-go/quic-go 0.54.0: quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
(GHSA-vvgj-x9jq-8cj9)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 122, go.mod currently pins the vulnerable indirect module github.com/quic-go/quic-go v0.54.0 (pulled via github.com/quic-go/quic-go/http3 used by github.com/gin-gonic/gin and kubeservice metrics); update the dependency to a patched release (e.g., v0.58.x–v0.60.0) by running go get github.com/quic-go/quic-go@v0.60.0 (or the latest safe tag), then run go mod tidy and rebuild to ensure the http3 consumer path (github.com/quic-go/quic-go/http3) is updated and the indirect entry in go.mod reflects the new version; verify with go mod graph or go list -m all and add/update any transitive constraints if needed.Source: Linters/SAST tools
162-162:
⚠️ Potential issue | 🔴 Critical | ⚡ Quick winCritical: Pseudo-versions contain future timestamps.
Lines 162 and 165 reference pseudo-versions with dates in 2026 (January 20, 2026 and February 10, 2026), which are in the future relative to the PR creation date (2025-11-18). Pseudo-versions encode commit timestamps, so future dates indicate either an incorrect system clock during dependency resolution, upstream commits with manipulated timestamps, or a corrupted module cache.
Impact: This can lead to non-reproducible builds, supply-chain integrity issues, and potential dependency confusion attacks.
🔍 Verification steps
Re-run dependency resolution with a verified correct system clock:
#!/bin/bash # Check current system time date # Clear module cache and re-resolve dependencies go clean -modcache go mod tidy # Verify no future-dated pseudo-versions remain rg '202[6-9][0-9]{4}' go.modAlso applies to: 165-165
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 162, The go.mod contains pseudo-versions with future timestamps (e.g., google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af) which breaks reproducibility; fix by ensuring your system clock is correct, clearing the module cache (go clean -modcache), re-resolving dependencies (go mod tidy / go get ./...), and confirming the pseudo-versions are replaced with valid released tags; if future-dated pseudo-versions persist for google.golang.org/protobuf or the other entries referenced, explicitly pin those modules to a known-good released tag or add a replace directive to a vetted commit/tag before committing the updated go.mod and go.sum.
2 participants
Bumps the k8s-libs group with 1 update in the / directory: k8s.io/client-go.
Updates
k8s.io/client-gofrom 0.34.1 to 0.36.1Commits
55ef15aUpdate dependencies to v0.36.1 tagf22a53eMerge remote-tracking branch 'origin/master' into release-1.36a948641Update github.com/moby/spdystream from v0.5.0 to v0.5.17e44ffcAdd Workload-Aware Preemption fields to Workload and PodGroup APIsdf2d882Merge pull request #136989 from nojnhuh/podgroup-resourceclaim4eece52Workload API: PodGroup ResourceClaims (KEP-5729)3d35c51Merge pull request #137190 from everpeace/KEP-5491-alpha0434117Merge pull request #137028 from nmn3m/feature/dra-resource-pool-statusba785beDrop CSR analogy, mark ObjectMeta +required,reduce limits (maxItems=500, maxL...4a9c878Add ResourcePoolStatusRequest API types and generated codeSummary by CodeRabbit