Skip to content

build(deps): Bump opa to 1.18.2 and pin oras-go to patched 2.6.2#674

Merged
huang195 merged 1 commit into
kagenti:mainfrom
pdettori:build/bump-opa-oras-640
Jul 16, 2026
Merged

build(deps): Bump opa to 1.18.2 and pin oras-go to patched 2.6.2#674
huang195 merged 1 commit into
kagenti:mainfrom
pdettori:build/bump-opa-oras-640

Conversation

@pdettori

@pdettori pdettori commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

Bundles Dependabot's opa 1.4.2 → 1.18.2 bump (#640) with an explicit oras.land/oras-go/v2 v2.6.2 pin, so the bump can land without introducing a high-severity transitive vulnerability.

Dependency From To Note
github.com/open-policy-agent/opa 1.4.2 1.18.2 #640
oras.land/oras-go/v2 (indirect) 2.5.0 2.6.2 patched pin

Why the oras-go pin

opa 1.18.2 transitively pulls in oras.land/oras-go/v2@2.6.1, which carries GHSA-fxhp-mv3v-67qp (high) — a tar-extraction escape via a hardlink entry with a relative Linkname resolved against the process CWD. That is why #640's Dependency Review check failed (fail-on-severity: moderate).

Pinning oras-go to 2.6.2 (released 2026-07-10, the patched version) in authlib forces MVS to select the fixed version everywhere and clears the advisory.

Why bundle / tidy dependents

authbridge/cmd/* modules replace github.com/kagenti/kagenti-extensions/authbridge/authlib => ../../authlib. When only authlib is tidied, the dependent modules go stale and fail go vet at the Lint step (go: updates to go.mod needed; to update it: go mod tidy). This PR applies the bump in authlib and runs go mod tidy (GOWORK=off) in authlib, authbridge-envoy, authbridge-proxy, and abctl (the fourth replace consumer, kept in sync even though it is not CI-gated).

Verification (local, GOWORK=off)

  • go vet ./..., go build ./..., go test -race -cover ./... pass in authlib, authbridge-envoy, authbridge-proxy
  • proxy lite variant (exclude_plugin_* tags) builds and tests
  • abctl vets clean
  • oras-go resolves to 2.6.2 in all module go.mod/go.sum; no residual 2.5.0/2.6.1

Supersedes and closes #640.

Assisted-By: Claude Code

Summary by CodeRabbit

  • Chores
    • Updated internal dependencies across AuthBridge components, including policy, observability, protobuf, YAML, and serialization libraries.
    • Upgraded the WebAssembly runtime support to a newer major version.
    • Refreshed transitive dependencies and removed obsolete packages.
    • No user-facing API or configuration changes.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4b61fe9d-d508-4bc1-a885-add4b91955a0

📥 Commits

Reviewing files that changed from the base of the PR and between 10d1575 and ee2f0ee.

⛔ Files ignored due to path filters (4)
  • authbridge/authlib/go.sum is excluded by !**/*.sum
  • authbridge/cmd/abctl/go.sum is excluded by !**/*.sum
  • authbridge/cmd/authbridge-envoy/go.sum is excluded by !**/*.sum
  • authbridge/cmd/authbridge-proxy/go.sum is excluded by !**/*.sum
📒 Files selected for processing (4)
  • authbridge/authlib/go.mod
  • authbridge/cmd/abctl/go.mod
  • authbridge/cmd/authbridge-envoy/go.mod
  • authbridge/cmd/authbridge-proxy/go.mod

📝 Walkthrough

Walkthrough

Changes

AuthBridge’s four Go modules refresh dependency declarations. Authlib upgrades OPA to v1.18.2 and updates related transitive modules, while command modules align Wasmtime, OpenTelemetry, gRPC, protobuf, YAML, and other indirect dependencies.

AuthBridge dependency refresh

Layer / File(s) Summary
Authlib dependency refresh
authbridge/authlib/go.mod
OPA and genproto direct requirements are updated; indirect dependencies are reorganized and versions are refreshed, including Wasmtime, OpenTelemetry, ORAS, YAML, and time packages.
abctl dependency refresh
authbridge/cmd/abctl/go.mod
Indirect cryptography, JSON, JWX, platform, protobuf, and gRPC dependencies are updated, and Testify is removed.
Runtime module dependency refresh
authbridge/cmd/authbridge-envoy/go.mod, authbridge/cmd/authbridge-proxy/go.mod
Envoy and proxy dependencies switch Wasmtime to v44 and refresh OPA, telemetry, protobuf, YAML, and related indirect modules.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: huang195

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning OPA was upgraded, but the PR shows no code changes to handle OPA's changed User-Agent format from #640. Add the required consumer or filter updates, or tests, to accept the new Open-Policy-Agent/... User-Agent where needed.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise, specific, and accurately reflects the main dependency bump and oras-go pin.
Out of Scope Changes check ✅ Passed The changes are limited to dependency and tidy-driven go.mod updates, with no obvious unrelated code additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Bundles Dependabot's opa 1.4.2 -> 1.18.2 bump (kagenti#640) with an explicit
oras.land/oras-go/v2 v2.6.2 pin to avoid the high-severity transitive
advisory GHSA-fxhp-mv3v-67qp (oras-go tar hardlink extraction escape),
which opa 1.18.2 otherwise pulls in via oras-go 2.6.1 and which fails
the Dependency Review check (fail-on-severity: moderate).

Applies the bump in authlib and runs `go mod tidy` (GOWORK=off) in
authlib and every module that `replace`s it (authbridge-envoy,
authbridge-proxy, abctl) so their go.mod/go.sum stay in sync. Same
pattern as kagenti#673.

Verified locally (GOWORK=off): go vet, go build, and go test -race pass
in authlib/envoy/proxy; the proxy lite variant (exclude_plugin_* tags)
builds and tests; abctl vets clean. oras-go resolves to 2.6.2 in all
modules with no residual 2.5.0/2.6.1.

Supersedes and closes kagenti#640.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@pdettori pdettori force-pushed the build/bump-opa-oras-640 branch from 77e6ba7 to ee2f0ee Compare July 16, 2026 02:14

@huang195 huang195 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bellissimo — this is how a dependency bump should be plated. 🍝 I verified the whole dish:

  • GHSA-fxhp-mv3v-67qp (CVE-2026-50163, High / CVSS 7.1): confirmed it hits oras-go/v2 <= 2.6.1 — the tar-extraction hardlink escape via a relative Linkname resolved against the process CWD. Your root-cause write-up is spot on.
  • oras-go v2.6.2 (released 2026-07-10, PR #1232) is the patched release. Perfetto — and you're actually ahead of the GitHub advisory page, which still lists "Patched version: None."
  • The pin correctly jumps 2.5.0 → 2.6.2, overriding the 2.6.1 that opa 1.18.2 would otherwise drag in via MVS.
  • Version parity is consistent across all four modules (authlib, authbridge-envoy, authbridge-proxy, abctl): opa v1.18.2 and oras-go v2.6.2 everywhere, identical h1: hashes, zero residual 2.5.0 / 2.6.1.
  • Dependency Review + all Go CI (-race -cover) green.

One small note, no change needed: abctl isn't CI-gated, so its manifests ride on your local go vet (which you flagged and ran). Might be worth wiring it into the Lint matrix someday so it can't silently drift. Otherwise — mamma mia, this is clean. 👨‍🍳

Assisted-By: Claude Code

@huang195 huang195 merged commit f8a34c7 into kagenti:main Jul 16, 2026
20 checks passed
@github-project-automation github-project-automation Bot moved this from New/ToDo to Done in Kagenti Issue Prioritization Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants