OCPBUGS-87169: CVE-2026-34986: Bump go-jose/v4 to 4.1.4#10596
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@rh-akhatavk: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note
|
| Layer / File(s) | Summary |
|---|---|
go-jose indirect dependency version bump go.mod |
Indirect dependency github.com/go-jose/go-jose/v4 updated from v4.1.3 to v4.1.4. |
🎯 1 (Trivial) | ⏱️ ~3 minutes
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
| Linked Issues check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
| Out of Scope Changes check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
| Stable And Deterministic Test Names | ✅ Passed | PR only updates go-jose/v4 dependency version in go.mod (v4.1.3→v4.1.4). No test files were modified, and no Ginkgo test names are present in the changes. |
| Test Structure And Quality | ✅ Passed | PR only updates go.mod dependency version; no test code changes. Custom check for Ginkgo test code quality is not applicable to this dependency version bump. |
| Microshift Test Compatibility | ✅ Passed | PR only updates go.mod dependency version (go-jose/v4 v4.1.3→v4.1.4). No new Ginkgo e2e tests (It/Describe/Context/When) were added; test files use standard Go testing framework. |
| Single Node Openshift (Sno) Test Compatibility | ✅ Passed | This PR only updates a Go dependency (go-jose/v4 from v4.1.3 to v4.1.4) in go.mod. No new Ginkgo e2e tests were added, so the SNO compatibility check does not apply. |
| Topology-Aware Scheduling Compatibility | ✅ Passed | PR is a CVE security patch bumping go-jose/v4 dependency; no deployment manifests, operator specs, or controller scheduling constraints are introduced. |
| Ote Binary Stdout Contract | ✅ Passed | PR only updates go.mod dependency version (go-jose v4.1.3→v4.1.4) with no source code changes, therefore no process-level stdout writes introduced. |
| Ipv6 And Disconnected Network Test Compatibility | ✅ Passed | PR only updates go-jose/v4 dependency version in go.mod; no new Ginkgo e2e tests added, so check doesn't apply. |
| No-Weak-Crypto | ✅ Passed | PR updates go-jose/v4 to v4.1.4 fixing CVE-2026-34986 (DoS, not crypto weakness). No weak algorithms or custom crypto detected in codebase. |
| Container-Privileges | ✅ Passed | PR bumps go-jose/v4 for CVE-2026-34986. "privileged: true" additions are only in documentation and Vagrant files, not K8s manifests. Deployed manifests have no unsafe container privileges. |
| No-Sensitive-Data-In-Logs | ✅ Passed | PR only updates go.mod dependency version (v4.1.3→v4.1.4) with no new code or logging statements that could expose sensitive data. |
| Title check | ✅ Passed | The title clearly identifies the main change: bumping go-jose/v4 to 4.1.4 for CVE-2026-34986. It's specific, concise, and directly reflects the changeset. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
|
@rh-akhatavk: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tthvo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/retitle OCPBUGS-87169: CVE-2026-34986: Bump go-jose/v4 to 4.1.4 |
openshift-ci
Bot
changed the title
openshift-ci-robot
added
jira/severity-important
|
@rh-akhatavk: This pull request references Jira Issue OCPBUGS-87169, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rh-akhatavk I created OCPBUGS-87169 targetting |
|
Sure 👍 |
|
/verified by CI |
openshift-ci-robot
added
the
verified
|
@sbiradar10: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rh-akhatavk: Jira Issue OCPBUGS-87169: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-87169 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@rh-akhatavk: Jira Issue OCPBUGS-87169: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-87169 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@rh-akhatavk: Jira Issue Verification Checks: Jira Issue OCPBUGS-87169 Jira Issue OCPBUGS-87169 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Fix included in release 5.0.0-0.nightly-2026-06-06-100407 |
5 participants
Bumps
go-jose/v4to 4.1.4 to fix CVE-2026-34986Summary by CodeRabbit