Skip to content

Commit e8195a6

Browse files
ulucinarulucinar
committed
fix(security): remediate CVE vulnerabilities
- Update Go version to 1.25.8 (fixes CVE-2026-25679, CVE-2026-27142, CVE-2026-27139) - Update google.golang.org/grpc to v1.79.3 (fixes GHSA-p77j-4mvh-x3m3) - Update CI workflow Go version to 1.25.8 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
1 parent 487c7d7 commit e8195a6

3 files changed

Lines changed: 81 additions & 68 deletions

File tree

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ on:
1313
workflow_dispatch: {}
1414

1515
env:
16-
GO_VERSION: "1.24"
16+
GO_VERSION: "1.25.8"
1717

1818
jobs:
1919
detect-noop:

go.mod

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ module github.com/upbound/provider-opentofu
22

33
tool golang.org/x/tools/cmd/goimports
44

5-
go 1.24.13
5+
go 1.25.8
66

77
require (
88
github.com/MakeNowJust/heredoc v1.0.0
@@ -25,7 +25,7 @@ require (
2525

2626
require (
2727
cloud.google.com/go v0.112.0 // indirect
28-
cloud.google.com/go/compute/metadata v0.5.0 // indirect
28+
cloud.google.com/go/compute/metadata v0.9.0 // indirect
2929
cloud.google.com/go/iam v1.1.5 // indirect
3030
cloud.google.com/go/storage v1.36.0 // indirect
3131
dario.cat/mergo v1.0.1 // indirect
@@ -44,7 +44,7 @@ require (
4444
github.com/felixge/httpsnoop v1.0.4 // indirect
4545
github.com/fsnotify/fsnotify v1.7.0 // indirect
4646
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
47-
github.com/go-logr/logr v1.4.2 // indirect
47+
github.com/go-logr/logr v1.4.3 // indirect
4848
github.com/go-logr/stdr v1.2.2 // indirect
4949
github.com/go-logr/zapr v1.3.0 // indirect
5050
github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -83,33 +83,33 @@ require (
8383
github.com/x448/float16 v0.8.4 // indirect
8484
github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
8585
go.opencensus.io v0.24.0 // indirect
86-
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
86+
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
8787
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect
8888
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
89-
go.opentelemetry.io/otel v1.33.0 // indirect
90-
go.opentelemetry.io/otel/metric v1.33.0 // indirect
91-
go.opentelemetry.io/otel/trace v1.33.0 // indirect
89+
go.opentelemetry.io/otel v1.39.0 // indirect
90+
go.opentelemetry.io/otel/metric v1.39.0 // indirect
91+
go.opentelemetry.io/otel/trace v1.39.0 // indirect
9292
go.uber.org/multierr v1.11.0 // indirect
93-
golang.org/x/crypto v0.45.0 // indirect
93+
golang.org/x/crypto v0.46.0 // indirect
9494
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
95-
golang.org/x/mod v0.29.0 // indirect
96-
golang.org/x/net v0.47.0 // indirect
97-
golang.org/x/oauth2 v0.27.0 // indirect
98-
golang.org/x/sync v0.18.0 // indirect
99-
golang.org/x/sys v0.38.0 // indirect
100-
golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
101-
golang.org/x/term v0.37.0 // indirect
102-
golang.org/x/text v0.31.0 // indirect
95+
golang.org/x/mod v0.30.0 // indirect
96+
golang.org/x/net v0.48.0 // indirect
97+
golang.org/x/oauth2 v0.34.0 // indirect
98+
golang.org/x/sync v0.19.0 // indirect
99+
golang.org/x/sys v0.39.0 // indirect
100+
golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54 // indirect
101+
golang.org/x/term v0.38.0 // indirect
102+
golang.org/x/text v0.32.0 // indirect
103103
golang.org/x/time v0.9.0 // indirect
104-
golang.org/x/tools v0.38.0 // indirect
104+
golang.org/x/tools v0.39.0 // indirect
105105
golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
106106
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
107107
google.golang.org/api v0.155.0 // indirect
108108
google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
109-
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
110-
google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
111-
google.golang.org/grpc v1.68.1 // indirect
112-
google.golang.org/protobuf v1.36.5 // indirect
109+
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
110+
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
111+
google.golang.org/grpc v1.79.3 // indirect
112+
google.golang.org/protobuf v1.36.10 // indirect
113113
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
114114
gopkg.in/inf.v0 v0.9.1 // indirect
115115
gopkg.in/yaml.v2 v2.4.0 // indirect

0 commit comments

Comments
 (0)