NO-ISSUE: bump github.com/moby/spdystream v0.5.0 to v0.5.1 to fix CVE-2026-35469

[rissh]

Summary

Bumps github.com/moby/spdystream from v0.5.0 to v0.5.1 to address CVE-2026-35469 (CVSS 8.7 High).

• Vulnerability: GO-2026-4958 / GHSA-pc3f-x583-g7j2
• CWE: CWE-770 — Allocation of Resources Without Limits or Throttling
• Affected symbols: spdystream.NewConnection, spdystream.Connection.Serve, spdy.Framer.ReadFrame, spdy.NewFramer

Changes

• go.mod: github.com/moby/spdystream v0.5.0 → v0.5.1
• go.sum: updated checksums
• vendor/: re-vendored github.com/moby/spdystream and github.com/moby/spdystream/spdy

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35469
• https://pkg.go.dev/vuln/GO-2026-4958
• GHSA-pc3f-x583-g7j2
• moby/spdystream@ef6121f

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency to a newer version for improved stability and bug fixes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2eba5daf-f809-4e0a-9358-d2e3191cbebf

📥 Commits

Reviewing files that changed from the base of the PR and between 999dd5a and 1b94e34.

⛔ Files ignored due to path filters (11)

• go.sum is excluded by !**/*.sum
• vendor/github.com/moby/spdystream/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/connection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/write.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

---

Walkthrough

Updated indirect dependency github.com/moby/spdystream from v0.5.0 to v0.5.1 in go.mod.

Changes

Dependency Management

Layer / File(s)	Summary
moby/spdystream version update go.mod	Indirect module requirement github.com/moby/spdystream updated from v0.5.0 to v0.5.1.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping a dependency version to fix a critical CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only dependency version updates with no Ginkgo test declarations. Repository uses standard Go testing package, not Ginkgo, so check is not applicable.
Test Structure And Quality	✅ Passed	This PR updates dependencies only (moby/spdystream v0.5.0→v0.5.1) with no Ginkgo test code added or modified, making the check inapplicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. This is a repository initialization with 11,758 files and existing unit tests only, not e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates the spdystream dependency from v0.5.0 to v0.5.1 in go.mod/go.sum. No new Ginkgo e2e tests are added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates go.mod/go.sum for spdystream CVE fix; no deployment manifests, operator code, or controllers modified. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR contains only dependency version bump (moby/spdystream v0.5.0 → v0.5.1) in go.mod/go.sum and vendored files. No changes to source code in cmd/ or pkg/ that could violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only bumps github.com/moby/spdystream v0.5.0→v0.5.1 for CVE fix. No new Ginkgo e2e tests added, so IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms, custom crypto implementations, or insecure comparisons detected. PR only updates spdystream dependency version to fix CVE-2026-35469 (resource allocation vulnerability).
Container-Privileges	✅ Passed	PR contains no privileged container configurations. No privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings found in any manifests or Dockerfiles.
No-Sensitive-Data-In-Logs	✅ Passed	Spdystream v0.5.1 bump does not log passwords, tokens, API keys, PII, or customer data. Code review shows logging only includes metadata like secret names and image repository info.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rissh]

/retitle NO-ISSUE: bump github.com/moby/spdystream v0.5.0 to v0.5.1 to fix CVE-2026-35469

[openshift-ci-robot]

@rissh: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Bumps github.com/moby/spdystream from v0.5.0 to v0.5.1 to address CVE-2026-35469 (CVSS 8.7 High).

• Vulnerability: GO-2026-4958 / GHSA-pc3f-x583-g7j2
• CWE: CWE-770 — Allocation of Resources Without Limits or Throttling
• Affected symbols: spdystream.NewConnection, spdystream.Connection.Serve, spdy.Framer.ReadFrame, spdy.NewFramer

Changes

• go.mod: github.com/moby/spdystream v0.5.0 → v0.5.1
• go.sum: updated checksums
• vendor/: re-vendored github.com/moby/spdystream and github.com/moby/spdystream/spdy

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35469
• https://pkg.go.dev/vuln/GO-2026-4958
• GHSA-pc3f-x583-g7j2
• moby/spdystream@ef6121f

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@rissh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jubittajohn]

/lgtm

[benluddy]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [benluddy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shannon]

/verified by @shannon

[openshift-ci-robot]

@shannon: This PR has been marked as verified by @shannon.

Details

In response to this:

/verified by @shannon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.