build(deps): Bump opa to 1.18.2 and pin oras-go to patched 2.6.2#674
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (4)
📝 WalkthroughWalkthroughChangesAuthBridge’s four Go modules refresh dependency declarations. Authlib upgrades OPA to v1.18.2 and updates related transitive modules, while command modules align Wasmtime, OpenTelemetry, gRPC, protobuf, YAML, and other indirect dependencies. AuthBridge dependency refresh
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies" Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Bundles Dependabot's opa 1.4.2 -> 1.18.2 bump (kagenti#640) with an explicit oras.land/oras-go/v2 v2.6.2 pin to avoid the high-severity transitive advisory GHSA-fxhp-mv3v-67qp (oras-go tar hardlink extraction escape), which opa 1.18.2 otherwise pulls in via oras-go 2.6.1 and which fails the Dependency Review check (fail-on-severity: moderate). Applies the bump in authlib and runs `go mod tidy` (GOWORK=off) in authlib and every module that `replace`s it (authbridge-envoy, authbridge-proxy, abctl) so their go.mod/go.sum stay in sync. Same pattern as kagenti#673. Verified locally (GOWORK=off): go vet, go build, and go test -race pass in authlib/envoy/proxy; the proxy lite variant (exclude_plugin_* tags) builds and tests; abctl vets clean. oras-go resolves to 2.6.2 in all modules with no residual 2.5.0/2.6.1. Supersedes and closes kagenti#640. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
77e6ba7 to
ee2f0ee
Compare
huang195
left a comment
There was a problem hiding this comment.
Bellissimo — this is how a dependency bump should be plated. 🍝 I verified the whole dish:
- GHSA-fxhp-mv3v-67qp (CVE-2026-50163, High / CVSS 7.1): confirmed it hits
oras-go/v2 <= 2.6.1— the tar-extraction hardlink escape via a relativeLinknameresolved against the process CWD. Your root-cause write-up is spot on. - oras-go v2.6.2 (released 2026-07-10, PR #1232) is the patched release. Perfetto — and you're actually ahead of the GitHub advisory page, which still lists "Patched version: None."
- The pin correctly jumps
2.5.0 → 2.6.2, overriding the2.6.1that opa 1.18.2 would otherwise drag in via MVS. - Version parity is consistent across all four modules (
authlib,authbridge-envoy,authbridge-proxy,abctl): opav1.18.2and oras-gov2.6.2everywhere, identicalh1:hashes, zero residual2.5.0/2.6.1. - Dependency Review + all Go CI (
-race -cover) green.
One small note, no change needed: abctl isn't CI-gated, so its manifests ride on your local go vet (which you flagged and ran). Might be worth wiring it into the Lint matrix someday so it can't silently drift. Otherwise — mamma mia, this is clean. 👨🍳
Assisted-By: Claude Code
Summary
Bundles Dependabot's opa
1.4.2 → 1.18.2bump (#640) with an explicitoras.land/oras-go/v2 v2.6.2pin, so the bump can land without introducing a high-severity transitive vulnerability.Why the oras-go pin
opa
1.18.2transitively pulls inoras.land/oras-go/v2@2.6.1, which carries GHSA-fxhp-mv3v-67qp (high) — a tar-extraction escape via a hardlink entry with a relativeLinknameresolved against the process CWD. That is why #640's Dependency Review check failed (fail-on-severity: moderate).Pinning
oras-goto2.6.2(released 2026-07-10, the patched version) inauthlibforces MVS to select the fixed version everywhere and clears the advisory.Why bundle / tidy dependents
authbridge/cmd/*modulesreplace github.com/kagenti/kagenti-extensions/authbridge/authlib => ../../authlib. When onlyauthlibis tidied, the dependent modules go stale and failgo vetat the Lint step (go: updates to go.mod needed; to update it: go mod tidy). This PR applies the bump inauthliband runsgo mod tidy(GOWORK=off) inauthlib,authbridge-envoy,authbridge-proxy, andabctl(the fourthreplaceconsumer, kept in sync even though it is not CI-gated).Verification (local,
GOWORK=off)go vet ./...,go build ./...,go test -race -cover ./...pass inauthlib,authbridge-envoy,authbridge-proxyexclude_plugin_*tags) builds and testsabctlvets cleanoras-goresolves to2.6.2in all modulego.mod/go.sum; no residual2.5.0/2.6.1Supersedes and closes #640.
Assisted-By: Claude Code
Summary by CodeRabbit