Unicron address codeql and dependabot vulns

[lukaszgryglicki]

Address CodeQL and dependabot vulns.

Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io

Assisted by OpenAI

Assisted by GitHub Copilot

[coderabbitai]

Walkthrough

Dependency bumps across Go, Node, and Python projects, a JWT import migrated to v4, telemetry promoted to a direct Go require, and simplified logging messages in GitHub OAuth/session code. No behavioral control-flow or public API signature changes detected.

Changes

Cohort / File(s)	Summary
Go module & toolchain cla-backend-go/go.mod	Updates go directive to 1.24.0, adds toolchain go1.24.4, and promotes go.opentelemetry.io/otel/trace to a direct require (v1.40.0).
JWT import update cla-backend-go/v2/sign/jwt.go	Switches import from github.com/golang-jwt/jwt to github.com/golang-jwt/jwt/v4 (usage unchanged).
npm resolution updates cla-backend-go/package.json, cla-backend/package.json	Bumps tar resolution from ^7.5.8 to ^7.5.10; adds corresponding tar entry in cla-backend-go/package.json.
Tests npm resolution tests/rest/package.json	Adds a resolution entry for underscore (1.13.8).
Python dependency cla-backend/requirements.txt	Bumps cryptography from 41.0.7 to 46.0.5.
Logging simplification cla-backend/cla/models/github_models.py, cla-backend/cla/utils.py	Shortens and standardizes numerous log messages around OAuth2, session loading, token handling, and redirects; no control-flow or return-value changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly reflects the main objective of the pull request: addressing CodeQL and dependabot vulnerabilities through dependency updates across multiple configuration files.
Description check	✅ Passed	The description is directly related to the changeset, explicitly stating the PR addresses CodeQL and dependabot vulnerabilities, which aligns with the dependency and configuration updates present in the changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch unicron-address-codeql-and-dependabot-vulns

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Addresses CodeQL/Dependabot findings by updating vulnerable dependencies and reducing sensitive data exposure in logs across the Python, Node, and Go components.

Changes:

• Bump tar (Node) and cryptography (Python) versions to remediate reported vulnerabilities.
• Reduce logging of sensitive/request-heavy payloads in the GitHub OAuth/webhook flows.
• Update Go JWT dependency usage to github.com/golang-jwt/jwt/v4 and refresh Go module metadata.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
cla-backend/yarn.lock	Updates resolved dependency versions (notably tar).
cla-backend/requirements.txt	Bumps Python cryptography pin.
cla-backend/package.json	Updates tar resolution constraint.
cla-backend/cla/utils.py	Redacts sensitive OAuth-related debug logging.
cla-backend/cla/models/github_models.py	Redacts/limits webhook + session-related debug logging.
cla-backend-go/v2/sign/jwt.go	Switches JWT import to jwt/v4.
cla-backend-go/package.json	Adds a tar resolution (but currently conflicts with an existing one).
cla-backend-go/go.sum	Updates JWT sums to v4.5.2 (still contains an older v4.5.0 go.mod sum).
cla-backend-go/go.mod	Updates JWT requirement and adds toolchain directive / adjusts OTEL trace requirement.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cla-backend-go/package.json`:
- Line 34: The resolutions object in package.json contains two entries for "tar"
(one "^7.5.10" and a later duplicate "^7.5.8"), so the later one overrides the
intended fix; remove the duplicate older "tar" resolution from the resolutions
object (keep only the "^7.5.10" entry) so the package lock uses the
non-vulnerable version and regenerate lockfiles/install artifacts as needed;
look for the "resolutions" key and the "tar" entries to locate and remove the
incorrect duplicate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 053e6e30-9b6a-49ab-975d-48bafebc9484

📥 Commits

Reviewing files that changed from the base of the PR and between 9a60fc9 and 8549acc.

⛔ Files ignored due to path filters (2)

• cla-backend-go/go.sum is excluded by !**/*.sum
• cla-backend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (7)

• cla-backend-go/go.mod
• cla-backend-go/package.json
• cla-backend-go/v2/sign/jwt.go
• cla-backend/cla/models/github_models.py
• cla-backend/cla/utils.py
• cla-backend/package.json
• cla-backend/requirements.txt

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/rest/package.json`:
- Line 18: The package.json currently uses "resolutions" to pin "underscore" to
1.13.8 but npm ignores resolutions, so add an "overrides" field mirroring the
"resolutions" entry (e.g. "overrides": {"underscore": "1.13.8"}) alongside the
existing "resolutions" key, then regenerate both lockfiles (package-lock.json
and yarn.lock) so the lockfiles reflect underscore@1.13.8; follow the pattern
used in the tests/functional manifest where both "resolutions" and "overrides"
are present.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c3519658-b16a-48c2-9440-e10549cb9548

📥 Commits

Reviewing files that changed from the base of the PR and between 31862c7 and 370fcb5.

⛔ Files ignored due to path filters (3)

• tests/functional/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• tests/rest/package-lock.json is excluded by !**/package-lock.json
• tests/rest/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• tests/rest/package.json