Skip to content

🌱 Update Golang Dependencies group to v0.45.0 [SECURITY] #1720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
syself-bot wants to merge 32 commits into
base: main
Choose a base branch
from
Open

🌱 Update Golang Dependencies group to v0.45.0 [SECURITY] #1720

syself-bot wants to merge 32 commits into from

Conversation

@syself-bot
Copy link
Contributor

@syself-bot syself-bot bot commented Nov 20, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
golang.org/x/crypto v0.40.0 -> v0.45.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

guettli and others added 30 commits July 31, 2025 20:29
@guettli
🌱 Update Go to 1.24.5. (#1641)
8632a84
@guettli
🌱 Refactor statusFromHCloudServer (#1649)
bc37725
@guettli
🌱 Remove unused function HCloudMachineSpec() (#1648)
fe1e6be 
🌱 Remove unused function.
@guettli
🌱 Avoid warning: Waited for due to client-side throttling, (#1652)
8db141b 
> I0829 08:31:00.251753   17515 request.go:697]
> Waited for 1.993332996s due to client-side
> throttling, not priority and fairness, request:
> GET:https://127.0.0.1:39499/apis/cluster.x-k8s.io/v1beta1/machines

This warnings is repeated again and again in the output of e2e tests.

We use current api-servers, no need for client-side throttling.
@guettli
🌱 Use errors.Join(reterr, err) to handle two errors. (#1653)
e663e5e 
🌱 Use errors.Join(reterr, err) to handle both errors.
@batistein
🌱 Updating the Readme (#1657)
4de62ab
@goodlime @guettli
🐛 Update metadata.yaml to include kind property (#1654)
67a49a8 
Update metadata.yaml

Add kind property

Co-authored-by: Thomas Güttler <[email protected]>
@guettli
🌱 Deprecate (ssh) PortAfterCloudInit. (#1670)
d750d27 
* 🌱 Deprecate (ssh) PortAfterCloudInit.

Since [PR Install Cloud-Init-Data via post-install.sh #1407](#1407) this field is not functional.

The additional reboot after InstallImage was removed.

The ssh port after InstallImage is the port which gets used.
@guettli
🌱 Update hack dir (#1668)
8d80956 
Update output-for-watch.sh and tail-controller-logs.sh: support caph running
in a different namespace (not fix to capi-system).

update-operator-dev-deployment.sh: Be sure to not update the cluster, if
connected via oidc (avoid accidentally changing a non-test system)
@guettli
🌱 e2e tests: Log conditions of wl-cluster. (#1672)
ebe949b
@guettli
🌱 avoid unhealthy conditions when cluster starts. (#1675)
93e385e 
* 🌱 avoid unhealthy conditions when cluster starts.

Closes #1674
@guettli
🌱 Make concurrent execution of make test-unit possible. (#1678)
dbf908c
@guettli @Dhairya-Arora01
🌱 Refactor Hcloud Provisioning, use Status.BootState (#1650)
a53c6da 
Co-authored-by: Dhairya Arora <[email protected]>
@guettli
🌱 add make verify-generated-files. Update controller-gen to v1.18 (#…
8852aed 
…1676)
@guettli
✨ Update controller runtime and cluster-api to the newest version (CA…
95c1b7f 
…PI 1.10) (#1628)
@Deepam02
🌱 Remove unused method ClientConfigWithAPIEndpoint #1687 (#1688)
220b813 
Remove unused method ClientConfigWithAPIEndpoint #1687
@guettli
🌱 When Robot API reaches a timeout, retry later. (#1639)
cdc0983
@guettli
🌱 Avoid panic if hetznercluster.spec.controlPlaneEndpoint is not set (#…
2507017 
…1684)
@guettli
🌱 Hcloud: Provision hcloud machines with custom command (instead of S…
8ab0b5e 
…napshots) (#1647)
@guettli
🌱 Add --baremetal-ssh-after-install-image=false to controller (#1686)
e18620f
@guettli
🌱 Provision baremetal via --baremetal-image-url-command (#1679)
0f77fe3
@guettli
🌱 Mark test as flaky (#1691)
4bc8057 
> [It] should take over an existing load balancer with correct name
@guettli
🌱 HCloudMachineType: allow all values. (#1693)
c3b5748 
* 🌱 HCloudMachineType: allow all values.

The list of valid machine types gets changed by
Hetzner from time to time. CAPH no longer
validates this string. It is up to you to use a
valid type. Not all types are available in all
locations.

Additionally Remediation was fixed if providerID was nil.
@guettli
🌱 Tiny change, better error message if reboot times out. (#1698)
ba8c768
@guettli
🌱 Mark test as flaky (#1707)
ae68154 
> It("checks that no remediation is tried if HCloud server does not exist anymore
@s04 @guettli
🌱 Fix clusterctl installation semver get failure (version bump fix) (#…
5885311 
…1700)

Bump clusterctl version

Co-authored-by: don <[email protected]>
Co-authored-by: Thomas Güttler <[email protected]>
@guettli
📖 Improved code comments in host.go (#1712)
cafb6b8
@guettli
🌱 update-operator-dev-deployment.sh: Fail if background job fails. (#…
bd6d67a 
…1713)
@guettli
🌱 Do not update dev deployment, when capi-operator is running. (#1714)
08d3b8b
@guettli
🌱 Use strict schema validation (#1711)
e55c90a
guettli and others added 2 commits November 20, 2025 10:25
@guettli
🌱 Add progress=plain to docker build. (#1718)
1829579 
Otherwise error messages from a second process
running in the background are not visible.
@syself-bot
🌱 Update Golang Dependencies group to v0.45.0 [SECURITY]
49c739e 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.40.0 | v0.45.0 |
@syself-bot
Copy link
Contributor Author

syself-bot bot commented Nov 20, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.26.0 -> v0.29.0
golang.org/x/net v0.42.0 -> v0.47.0
golang.org/x/sync v0.16.0 -> v0.18.0
golang.org/x/sys v0.34.0 -> v0.38.0
golang.org/x/term v0.33.0 -> v0.37.0
golang.org/x/text v0.27.0 -> v0.31.0
golang.org/x/tools v0.35.0 -> v0.38.0

@syself-bot
Copy link
Contributor Author

syself-bot bot commented Dec 5, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type/minor update/go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@guettli @batistein @goodlime @Deepam02 @s04