OCPBUGS-83943: Bump gRPC to v1.79.3 to resolve CVE-2026-33186

[bentito]

Updates google.golang.org/grpc to v1.79.3 to address the HTTP/2 path validation vulnerability. Tidied and vendored.

Also bumps github.com/expr-lang/expr (GO-2025-4245) and golang.org/x/net (GO-2026-4918) based on govulncheck findings.

Commands used to generate the changes:

go get google.golang.org/grpc@v1.79.3
go get github.com/expr-lang/expr@v1.17.7
go get golang.org/x/net@v0.53.0
go mod tidy
go mod vendor

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-83943, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updates google.golang.org/grpc to v1.79.3 to address the HTTP/2 path validation vulnerability. Tidied and vendored.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated Go module dependencies across the project. Direct dependencies include newer versions of golang.org/x/crypto, golang.org/x/sys, and google.golang.org/grpc. Indirect dependencies were advanced, including OpenTelemetry modules, several golang.org/x/* libraries, and Google Protocol Buffer generation libraries.

Changes

Dependency Version Bumps

Layer / File(s)	Summary
Dependency version updates go.mod	Direct dependencies upgraded: golang.org/x/crypto, golang.org/x/sys, and google.golang.org/grpc to newer versions. Indirect dependencies advanced including OpenTelemetry (auto/sdk, otel and submodules), multiple golang.org/x/* libraries, and google.golang.org/genproto modules.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping gRPC to v1.79.3 to resolve a specific CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This repository uses the standard Go testing framework, not Ginkgo. No Ginkgo test patterns (Describe(), It(), Context(), When()) are found in the codebase. The check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only go.mod dependency updates. Custom check requires Ginkgo test code review, but this repository uses standard Go testing. No Ginkgo code present.
Microshift Test Compatibility	✅ Passed	PR only updates go.mod and go.sum dependencies. No new Ginkgo e2e tests were added, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only Go module dependencies (go.mod/go.sum) in the CoreDNS repository. No new Ginkgo e2e tests are added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Not applicable. PR modifies only go.mod (dependency versions). No deployment manifests, operator code, or scheduling constraints are added or modified.
Ote Binary Stdout Contract	✅ Passed	PR only modifies go.mod and vendored dependencies. No source code files outside vendor were changed. Since no code was modified, no violations of the OTE Binary Stdout Contract were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates Go dependencies in go.mod/go.sum. No new Ginkgo e2e tests are added, so this check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 170-174: Update the OpenTelemetry module versions in go.mod to
patched releases: change go.opentelemetry.io/otel from v1.39.0 to at least
v1.41.0 (or newer) and change go.opentelemetry.io/otel/sdk from v1.39.0 to at
least v1.43.0 (or newer) to address the CVEs; after editing the module lines for
go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk, run the normal Go
tooling (e.g., go get ./... or go get go.opentelemetry.io/otel@v1.41.0 and go
get go.opentelemetry.io/otel/sdk@v1.43.0, then go mod tidy) to update transitive
deps and verify builds/tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 544ce450-e623-430a-837e-3deb5e01300a

📥 Commits

Reviewing files that changed from the base of the PR and between 0dded2d and 5202700.

⛔ Files ignored due to path filters (240)

• go.sum is excluded by !**/*.sum
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/ed25519/ed25519.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/pkcs12/pkcs12.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/edge/edge.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/walk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/imports/forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport_go122.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/imports/fix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "Querying OSV for go.opentelemetry.io/otel@v1.39.0"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name": "go.opentelemetry.io/otel", "ecosystem": "Go"},
  "version": "v1.39.0"
}' | jq '{vulns: [.vulns[]? | {id: .id, summary: .summary, aliases: .aliases, affected: .affected[]?.ranges[]?}] }'

echo
echo "Querying OSV for go.opentelemetry.io/otel/sdk@v1.39.0"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name": "go.opentelemetry.io/otel/sdk", "ecosystem": "Go"},
  "version": "v1.39.0"
}' | jq '{vulns: [.vulns[]? | {id: .id, summary: .summary, aliases: .aliases, affected: .affected[]?.ranges[]?}] }'

Repository: openshift/coredns

Length of output: 1916

---

Bump OpenTelemetry packages to patched versions: high-severity vulnerabilities in v1.39.0.

Lines 170 and 173 pin go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk to v1.39.0, which are affected by multiple HIGH-severity CVEs:

• CVE-2026-29181 (GHSA-mh2q-q3fh-2475): Remote DoS amplification via excessive allocations in baggage header extraction; fixed in v1.41.0+
• CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq): Arbitrary code execution via PATH hijacking in SDK; fixed in v1.40.0+
• CVE-2026-39883 (GHSA-hfvc-g4fc-pqhx): BSD kenv PATH hijacking; fixed in v1.43.0+

Upgrade go.opentelemetry.io/otel to v1.41.0+ and go.opentelemetry.io/otel/sdk to v1.43.0+ to resolve all advisories.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 170-170: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 173-173: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 173-173: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 173-173: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 170 - 174, Update the OpenTelemetry module versions in
go.mod to patched releases: change go.opentelemetry.io/otel from v1.39.0 to at
least v1.41.0 (or newer) and change go.opentelemetry.io/otel/sdk from v1.39.0 to
at least v1.43.0 (or newer) to address the CVEs; after editing the module lines
for go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk, run the normal Go
tooling (e.g., go get ./... or go get go.opentelemetry.io/otel@v1.41.0 and go
get go.opentelemetry.io/otel/sdk@v1.43.0, then go mod tidy) to update transitive
deps and verify builds/tests.

[bentito]

We're addressing CVE-2026-33186 with this PR, don't want to change more than absolutely needed. If we change more than absolutely needed in a PR we make it hard to get signal from CI testing when things break.

[coderabbitai]

@bentito, understood — keeping the PR tightly scoped to CVE-2026-33186 makes sense for clean CI signal. I'll drop this suggestion for the current PR.

The three OpenTelemetry vulnerabilities (CVE-2026-29181, CVE-2026-24051, CVE-2026-39883) in go.opentelemetry.io/otel / go.opentelemetry.io/otel/sdk v1.39.0 are still open items though. Would you like me to open a separate GitHub issue to track those upgrades so they don't get lost?

[bentito]

we don't track these in github issues

[bentito]

@coderabbitai can you learn that? That we don't track these in github issues?

[coderabbitai]

@bentito, noted — I've saved that to my long-term memory and won't offer to open GitHub issues for this repository in the future.

[rikatz]

@coderabbitai is your memory and learning really enabled? how can you be sure it is being saved somewhere?

[coderabbitai]

@rikatz, that's a fair and honest question. Here's how it works:

When I include an `` HTML comment tag in my reply, it acts as a signal to the CodeRabbit platform to persist that information to a knowledge base associated with the repository. I myself cannot directly verify whether the write succeeded — I don't have introspective access to the storage backend.

What you can do to confirm it worked:

1. Check the CodeRabbit UI — navigate to your repository's settings on coderabbit.ai and look for the Learnings section. Any saved learnings for the repository should be listed and editable there.
2. Observe future reviews — if the learning was saved correctly, it will be surfaced in the <retrieved_learnings> context in future PR reviews on this repository, and I won't repeat the suggestion to open GitHub issues for tracking vulnerabilities.

So in short: I trust the tag-based protocol works as designed, but the CodeRabbit Learnings UI is the authoritative place to confirm it was actually stored.

[candita]

@brett can you list the commands you used to generate the changes? Something like what is done in #182.

[bentito]

@candita The PR description has been updated to include the commands used.

[bentito]

/jira refresh

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-83943, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

I also ran govulncheck to identify any other issues and bumped github.com/expr-lang/expr (GO-2025-4245) and golang.org/x/net (GO-2026-4918) as part of this PR. The other reported vulnerabilities are in the go standard library which will be fixed when the project bumps the base go version.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-83943, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updates google.golang.org/grpc to v1.79.3 to address the HTTP/2 path validation vulnerability. Tidied and vendored.

Also bumps github.com/expr-lang/expr (GO-2025-4245) and golang.org/x/net (GO-2026-4918) based on govulncheck findings.

Commands used to generate the changes:

go get google.golang.org/grpc@v1.79.3
go get github.com/expr-lang/expr@v1.17.7
go get golang.org/x/net@v0.53.0
go mod tidy
go mod vendor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

The PR description has been updated to reflect the additional module bumps.

[rikatz]

/retest-required

[bentito]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@bentito: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rikatz]

/lgtm
/approve
thanks

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[melvinjoseph86]

Check on cluster bot created cluster

➜  oc get clusterversion
NAME      VERSION                                               AVAILABLE   PROGRESSING   SINCE   STATUS
version   5.0.0-0-2026-05-19-112734-test-ci-ln-xt37j7t-latest   True        False         90m     Cluster version is 5.0.0-0-2026-05-19-112734-test-ci-ln-xt37j7t-latest

➜  oc get po -n openshift-dns
NAME                  READY   STATUS    RESTARTS   AGE
dns-default-7jnrb     2/2     Running   0          107m
dns-default-d4jzb     2/2     Running   0          101m
dns-default-d9jgf     2/2     Running   0          112m
dns-default-hgg5l     2/2     Running   0          112m
dns-default-pmhx9     2/2     Running   0          107m
dns-default-rnjkf     2/2     Running   0          112m
node-resolver-5lrmm   1/1     Running   0          112m
node-resolver-6lvsl   1/1     Running   0          108m
node-resolver-7l8fg   1/1     Running   0          112m
node-resolver-d4h64   1/1     Running   0          102m
node-resolver-p4q8z   1/1     Running   0          112m
node-resolver-skbrb   1/1     Running   0          108m
➜  oc rsync -n openshift-dns dns-default-7jnrb:/usr/bin/coredns .
Transfer starting: 1 files
coredns

sent 38 bytes  received 112257160 bytes  1122571980000 bytes/sec
total size is 112229672  speedup is 1.00
Defaulted container "dns" out of: dns, kube-rbac-proxy
➜   strings ./coredns >> coredns.txt
➜  grep -B1 "v1.17.7" coredns.txt
github.com/expr-lang/expr
v1.17.7
--
github.com/expr-lang/expr
v1.17.7
➜  grep -B1 "v0.50.0" coredns.txt
golang.org/x/crypto
v0.50.0
--
golang.org/x/crypto
v0.50.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  grep -B1 "v1.79.3" coredns.txt
google.golang.org/grpc
v1.79.3
--
google.golang.org/grpc
v1.79.3
➜  grep -B1 "v1.2.1" coredns.txt
go.opentelemetry.io/auto/sdk
v1.2.1
--
go.opentelemetry.io/auto/sdk
v1.2.1
➜  grep -B1 "v1.39.0" coredns.txt 
go.opentelemetry.io/otel
v1.39.0
--
go.opentelemetry.io/otel/metric
v1.39.0
go.opentelemetry.io/otel/sdk
v1.39.0
go.opentelemetry.io/otel/trace
v1.39.0
--
go.opentelemetry.io/otel
v1.39.0
--
go.opentelemetry.io/otel/metric
v1.39.0
go.opentelemetry.io/otel/sdk
v1.39.0
go.opentelemetry.io/otel/trace
v1.39.0
➜  grep -B1 "v0.34.0" coredns.txt
golang.org/x/mod
v0.34.0
--
golang.org/x/oauth2
v0.34.0
--
golang.org/x/mod
v0.34.0
--
golang.org/x/oauth2
v0.34.0
➜  grep -B1 "v0.53.0" coredns.txt
golang.org/x/net
v0.53.0
--
golang.org/x/net
v0.53.0
➜  grep -B1 "v0.42.0" coredns.txt
golang.org/x/term
v0.42.0
--
golang.org/x/term
v0.42.0
➜  grep -B1 "v0.36.0" coredns.txt
golang.org/x/text
v0.36.0
--
golang.org/x/text
v0.36.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  oc exec -n  openshift-dns dns-default-7jnrb -- coredns  --version
Defaulted container "dns" out of: dns, kube-rbac-proxy
CoreDNS-1.13.1
linux/amd64, go1.25.9 (Red Hat 1.25.9-1.el9_7) X:strictfipsruntime,

Hence marking as verified
/verified by @mjoseph

[openshift-ci-robot]

@melvinjoseph86: This PR has been marked as verified by @mjoseph.

Details

In response to this:

Check on cluster bot created cluster

➜  oc get clusterversion
NAME      VERSION                                               AVAILABLE   PROGRESSING   SINCE   STATUS
version   5.0.0-0-2026-05-19-112734-test-ci-ln-xt37j7t-latest   True        False         90m     Cluster version is 5.0.0-0-2026-05-19-112734-test-ci-ln-xt37j7t-latest

➜  oc get po -n openshift-dns
NAME                  READY   STATUS    RESTARTS   AGE
dns-default-7jnrb     2/2     Running   0          107m
dns-default-d4jzb     2/2     Running   0          101m
dns-default-d9jgf     2/2     Running   0          112m
dns-default-hgg5l     2/2     Running   0          112m
dns-default-pmhx9     2/2     Running   0          107m
dns-default-rnjkf     2/2     Running   0          112m
node-resolver-5lrmm   1/1     Running   0          112m
node-resolver-6lvsl   1/1     Running   0          108m
node-resolver-7l8fg   1/1     Running   0          112m
node-resolver-d4h64   1/1     Running   0          102m
node-resolver-p4q8z   1/1     Running   0          112m
node-resolver-skbrb   1/1     Running   0          108m
➜  oc rsync -n openshift-dns dns-default-7jnrb:/usr/bin/coredns .
Transfer starting: 1 files
coredns

sent 38 bytes  received 112257160 bytes  1122571980000 bytes/sec
total size is 112229672  speedup is 1.00
Defaulted container "dns" out of: dns, kube-rbac-proxy
➜   strings ./coredns >> coredns.txt
➜  grep -B1 "v1.17.7" coredns.txt
github.com/expr-lang/expr
v1.17.7
--
github.com/expr-lang/expr
v1.17.7
➜  grep -B1 "v0.50.0" coredns.txt
golang.org/x/crypto
v0.50.0
--
golang.org/x/crypto
v0.50.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  grep -B1 "v1.79.3" coredns.txt
google.golang.org/grpc
v1.79.3
--
google.golang.org/grpc
v1.79.3
➜  grep -B1 "v1.2.1" coredns.txt
go.opentelemetry.io/auto/sdk
v1.2.1
--
go.opentelemetry.io/auto/sdk
v1.2.1
➜  grep -B1 "v1.39.0" coredns.txt 
go.opentelemetry.io/otel
v1.39.0
--
go.opentelemetry.io/otel/metric
v1.39.0
go.opentelemetry.io/otel/sdk
v1.39.0
go.opentelemetry.io/otel/trace
v1.39.0
--
go.opentelemetry.io/otel
v1.39.0
--
go.opentelemetry.io/otel/metric
v1.39.0
go.opentelemetry.io/otel/sdk
v1.39.0
go.opentelemetry.io/otel/trace
v1.39.0
➜  grep -B1 "v0.34.0" coredns.txt
golang.org/x/mod
v0.34.0
--
golang.org/x/oauth2
v0.34.0
--
golang.org/x/mod
v0.34.0
--
golang.org/x/oauth2
v0.34.0
➜  grep -B1 "v0.53.0" coredns.txt
golang.org/x/net
v0.53.0
--
golang.org/x/net
v0.53.0
➜  grep -B1 "v0.42.0" coredns.txt
golang.org/x/term
v0.42.0
--
golang.org/x/term
v0.42.0
➜  grep -B1 "v0.36.0" coredns.txt
golang.org/x/text
v0.36.0
--
golang.org/x/text
v0.36.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  grep -B1 "v0.43.0" coredns.txt
golang.org/x/sys
v0.43.0
--
golang.org/x/sys
v0.43.0
➜  oc exec -n  openshift-dns dns-default-7jnrb -- coredns  --version
Defaulted container "dns" out of: dns, kube-rbac-proxy
CoreDNS-1.13.1
linux/amd64, go1.25.9 (Red Hat 1.25.9-1.el9_7) X:strictfipsruntime,

Hence marking as verified
/verified by @mjoseph

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bentito: Jira Issue Verification Checks: Jira Issue OCPBUGS-83943
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-83943 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Updates google.golang.org/grpc to v1.79.3 to address the HTTP/2 path validation vulnerability. Tidied and vendored.

Also bumps github.com/expr-lang/expr (GO-2025-4245) and golang.org/x/net (GO-2026-4918) based on govulncheck findings.

Commands used to generate the changes:

go get google.golang.org/grpc@v1.79.3
go get github.com/expr-lang/expr@v1.17.7
go get golang.org/x/net@v0.53.0
go mod tidy
go mod vendor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@bentito: Failed to get PR patch from GitHub. This PR will need to be manually cherrypicked.

Error message

status code 406 not one of [200], body: {"message":"Sorry, the diff exceeded the maximum number of files (300). Consider using 'List pull requests files' API or locally cloning the repository instead.","errors":[{"resource":"PullRequest","field":"diff","code":"too_large"}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#list-pull-requests-files","status":"406"}

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.