fix: vuln 0512#28
Merged
Merged
Conversation
- bump google.golang.org/grpc v1.58.3 -> v1.79.3 (fixes Critical CVE-2026-33186) - switch .build/build.yaml tool-image from devops/builder-go:latest to devops/github/builder-go:latest (Go 1.26.3, fixes stdlib CVEs incl. CVE-2025-68121) - go mod tidy + go mod vendor (regenerated vendor tree) Part of v3.20.10 vuln-fix sweep for knative-operator-bundle.
lentil1016
approved these changes
May 12, 2026
4 tasks
chengjingtao
pushed a commit
that referenced
this pull request
May 13, 2026
Mirrors hack/patches/006-conversion-webhook.patch and 007-conversion-reconciler.patch from PR #25 so the cert-rotation reconciler's USE_OLM_TLS guard also survives `go mod vendor` runs. The reason PR #25's vendor edits disappeared after the vuln-0512 sweep was that nobody ran `make update-deps` (= `git apply hack/patches/*.patch`) after the vendor regeneration. Adding 008 alongside its sibling patches keeps the recovery mechanical: `go mod vendor && make update-deps` reproduces the working tree. Without this file, a future vendor regeneration would silently revert this PR's fix the same way PR #28 reverted PR #25's. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
google.golang.org/grpcv1.58.3 → v1.79.3 (fixes Critical CVE-2026-33186).build/build.yamltool-imagefromdevops/builder-go:latest(Go 1.25.7) todevops/github/builder-go:latest(Go 1.26.3, fixes 15 stdlib CVEs incl. Critical CVE-2025-68121)go mod tidy+go mod vendor(regenerated vendor tree, ~314 files)Why
Bundle redline-static-scan on
knative-operator-bundle:v3.20.9flagged:The eventing repo already uses the
/github/mirror via PR #13. Operator was missed in that pass.Notes
Part of v3.20.10 vuln-fix sweep for
knative-operator-bundle. Companion PRs: