Skip to content

fix(ops-10179): Phase 1 CVE/deps migration#28

Merged
pascal-blokur merged 1 commit into
masterfrom
fix/ops-10179_cves
Jun 3, 2026
Merged

fix(ops-10179): Phase 1 CVE/deps migration#28
pascal-blokur merged 1 commit into
masterfrom
fix/ops-10179_cves

Conversation

@pascal-blokur

Copy link
Copy Markdown
Contributor

OPS-10179 — Phase 1 (scriptable) CVE/dependency migration

Wave-1 lib (12 dependents); depends on testament (now v1.0.0). Module harego/v2.

Audit CVEs cleared (cross-referenced with the MRI audit)

Audit CVE Package Status
CVE-2026-33186 (GHSA-m425-mq94-257g) google.golang.org/grpc ✅ →1.81.1 (fix 1.79.3)
CVE-2026-34040 / 41567 / 42306 (Moby) github.com/docker/docker docker/docker removed — swapped to moby/moby/api
CVE-2026-29181 go.opentelemetry.io/otel ✅ →1.44.0 (fix 1.41.0)
GO-2026-5024 golang.org/x/sys ✅ →0.45.0

govulncheck -scan module after: No vulnerabilities found. No audit CVEs left for this repo.

Changes

  • go.mod: go 1.26.4; testamentv1.0.0; deps to latest-within-major (grpc 1.75→1.81.1, otel 1.38→1.44, x/crypto→0.52, x/net→0.54, x/sys→0.45, testcontainers 0.38→0.42, logrus→1.9.4).
  • docker/docker → moby/moby: helper_test.go now imports github.com/moby/moby/api/types/container (matches testcontainers v0.42's API); go mod tidy then drops github.com/docker/docker entirely.
  • golangci-lint (v2): excluded modernize/wsl_v5 in _test.go (pre-existing style, no test-logic rewrite); fixed one gocritic deprecatedComment + gci import order.
  • CI (new pattern): setup-go uses go-version-file: "go.mod"; govulncheck via go run golang.org/x/vuln/cmd/govulncheck@latest ./... (dropped govulncheck-action); added private-module access; removed the redundant audit job.

Verify (local)

make ci_tests (race) ✅ · go vet -tags=integration ./... ✅ · golangci-lint run ✅ (0 issues) · govulncheck ./...

Deferred to Phase 2

AWS SDK v2, grpc/protobuf API swap, context plumbing.

🤖 Generated with Claude Code

Scriptable dependency & tooling refresh.

- go.mod: go 1.26.4; testament -> v1.0.0; `go get -u` to latest within
  current major (grpc 1.75->1.81.1, otel 1.38->1.44, x/crypto ->0.52,
  x/net ->0.54, x/sys ->0.45, testcontainers 0.38->0.42, logrus ->1.9.4).
- docker/docker -> moby/moby: swapped helper_test.go to
  github.com/moby/moby/api/types/container (matches testcontainers
  v0.42's API); go mod tidy then drops github.com/docker/docker
  entirely, clearing the Moby CVEs.
- golangci-lint (v2): excluded modernize/wsl_v5 in tests (pre-existing
  style); fixed one gocritic deprecatedComment + gci import order.
- CI: setup-go now uses go-version-file: go.mod; govulncheck via
  `go run golang.org/x/vuln/cmd/govulncheck@latest ./...` (dropped the
  govulncheck-action); added private-module access; removed redundant
  audit job.

Audit CVEs cleared: CVE-2026-33186 (grpc), CVE-2026-34040/41567/42306
(docker/docker Moby -> removed), CVE-2026-29181 (otel), GO-2026-5024 (x/sys).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@pascal-blokur pascal-blokur marked this pull request as ready for review June 3, 2026 15:36
@pascal-blokur pascal-blokur merged commit f3bad7a into master Jun 3, 2026
2 checks passed
@pascal-blokur pascal-blokur deleted the fix/ops-10179_cves branch June 3, 2026 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant