Fix the remaining critical and high dependabot vulnerabilitioes

[lukaszgryglicki]

Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io

Assisted by OpenAI

Assisted by GitHub Copilot

Assisted by Claude

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• tests/rest/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a367a93-9d53-421f-ba12-361d02a2537d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR updates the Go toolchain and dependencies across three Go modules (cla-backend-go, cla-backend-legacy, utils/otel_dd_go), bumps OpenTelemetry packages from v1.40.0 to v1.43.0, and tightens JavaScript and Python test dependencies via resolutions, overrides, and frozen requirements files.

Changes

Dependency and Tooling Lifecycle

Layer / File(s)	Summary
Go toolchain and module dependency upgrades cla-backend-go/go.mod, cla-backend-legacy/go.mod, utils/otel_dd_go/go.mod, .gitignore	Go versions updated to 1.25.0, OpenTelemetry modules bumped from v1.40.0 to v1.43.0, and transitive dependencies (oauth2, grpc-gateway, gRPC, Google API) updated across three modules. Build output .gitignore entry added for utils/otel_dd_go/otel_dd_go.
Test environment dependency resolution tightening tests/functional/package.json, tests/rest/package.json, tests/rest/requirements.freeze.txt	NPM resolutions and overrides expanded in both test manifests to pin transitive packages; Python test dependencies (PyJWT v2.4.0→v2.13.0, urllib3 v2.6.3→v2.7.0) pinned in frozen requirements.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main purpose: fixing critical and high Dependabot vulnerabilities through dependency updates across the codebase.
Description check	✅ Passed	The description is related to the changeset as it confirms the PR's purpose of addressing Dependabot vulnerabilities, though it lacks specific technical details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch unicron-fix-dbot-vulns

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/functional/package.json`:
- Around line 39-44: Update the floating caret ranges in the tests package.json
override/resolution entries to pinned exact versions so installs are
deterministic: locate the "overrides" and "resolutions" blocks in
tests/functional/package.json (and the analogous blocks in
tests/rest/package.json) and replace entries like "fast-uri": "^3.1.2",
"lodash": "^4.18.0", "tmp": "^0.2.6", "serialize-javascript": "^7.0.5",
"picomatch": "^2.3.2", and "form-data": "^4.0.4" with exact versions (e.g.
"fast-uri": "3.1.2") and then regenerate/update the lockfile(s) so CI/local
installs converge.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bc169ab2-155d-4ced-ae63-11c5c90beb7b

📥 Commits

Reviewing files that changed from the base of the PR and between fbba01d and 10dd5cb.

⛔ Files ignored due to path filters (7)

• cla-backend-go/go.sum is excluded by !**/*.sum
• cla-backend-legacy/go.sum is excluded by !**/*.sum
• tests/functional/package-lock.json is excluded by !**/package-lock.json
• tests/functional/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• tests/rest/package-lock.json is excluded by !**/package-lock.json
• tests/rest/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• utils/otel_dd_go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .gitignore
• cla-backend-go/go.mod
• cla-backend-legacy/go.mod
• tests/functional/package.json
• tests/rest/package.json
• tests/rest/requirements.freeze.txt
• utils/otel_dd_go/go.mod

[Copilot]

Pull request overview

This PR updates Go, Node, and Python dependencies across the EasyCLA codebase (and its test/util subprojects) to address outstanding Dependabot-reported critical/high vulnerabilities.

Changes:

• Bumped OpenTelemetry, grpc-gateway, and related Go module dependencies (including indirect deps) across backend and utility modules.
• Updated REST test dependencies (Node lockfiles + Python frozen requirements) and functional test dependency overrides/resolutions.
• Adjusted .gitignore for the utils/otel_dd_go build output.

Reviewed changes

Copilot reviewed 6 out of 14 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
utils/otel_dd_go/go.mod	Updates Go version directive and OpenTelemetry/grpc-gateway dependency versions.
utils/otel_dd_go/go.sum	Refreshes dependency checksums after Go module upgrades.
tests/rest/yarn.lock	Updates Yarn-locked transitive Node dependencies used by REST test tooling.
tests/rest/package.json	Updates/extends overrides + adds resolutions to enforce patched Node transitive versions.
tests/rest/package-lock.json	Regenerated npm lockfile; currently includes several notable dependency downgrades vs prior lock state.
tests/rest/requirements.freeze.txt	Bumps PyJWT and urllib3 pinned versions for REST tests.
tests/functional/package.json	Adds/updates resolutions + overrides to force patched transitive Node deps for Cypress tests.
tests/functional/package-lock.json	Updates npm-locked dependency graph for functional tests.
cla-backend-legacy/go.mod	Bumps OpenTelemetry stack and backoff major version (indirect) and related indirect dependencies.
cla-backend-legacy/go.sum	Refreshes checksums after Go dependency upgrades.
cla-backend-go/go.mod	Bumps OpenTelemetry stack, grpc-gateway, and oauth2 to newer versions.
cla-backend-go/go.sum	Refreshes checksums after Go dependency upgrades.
.gitignore	Ignores an additional utils/otel_dd_go build artifact path.

Files not reviewed (2)

• tests/functional/package-lock.json: Language not supported
• tests/rest/package-lock.json: Language not supported