Security: Fix CVE-2025-22868 (golang.org/x/oauth2)#2813
Conversation
- Upgrade golang.org/x/oauth2 from v0.18.0 to v0.27.0 - Fixes CVE-2025-22868 (HIGH 7.5): Unexpected memory consumption during token parsing in golang.org/x/oauth2 - Removes transitive dependency on google.golang.org/appengine (dropped in oauth2 v0.21.0) — cleans up 9k+ lines from vendor - Run go mod tidy && go mod vendor to update dependencies - Post-fix govulncheck confirms GO-2025-3488 resolved - Note: go directive bumped 1.21 => 1.23.0 (required by oauth2 v0.27.0) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
There was a problem hiding this comment.
Code Review
This pull request updates the Go version to 1.23.0, upgrades the golang.org/x/oauth2 dependency, and removes the unused google.golang.org/appengine dependency. The review feedback correctly highlights that updating the Go version in go.mod without corresponding updates in the Dockerfile and Makefile will lead to build inconsistencies and potential CI failures.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| module github.com/openshift-pipelines/pipelines-as-code | ||
|
|
||
| go 1.21 | ||
| go 1.23.0 |
There was a problem hiding this comment.
Bumping the Go version to 1.23.0 in go.mod creates an inconsistency with the rest of the repository. Specifically, Dockerfile still uses golang:1.21 as the builder image, and Makefile defines GO_TOOLCHAIN ?= go1.21.13. This mismatch will cause build failures in Docker-based builds and CI pipelines. Please update the Go version in Dockerfile and Makefile to 1.23 to match go.mod.
References
- The go directive in go.mod can include specific patch versions when automatically updated by go mod tidy to align with dependencies.
Summary
This PR fixes CVE-2025-22868 by upgrading
golang.org/x/oauth2from v0.18.0 to v0.27.0.CVE Details
Changes
golang.org/x/oauth2v0.18.0 → v0.27.0google.golang.org/appengine(dropped in oauth2 v0.21.0) — removes ~9,900 lines from vendorgo mod tidy && go mod vendorto update lockfilesgodirective bumped 1.21 → 1.23.0 (minimum required by oauth2 v0.27.0)Test Results
Status: ✅ Build passed
Build: ✅
go build ./...succeededPost-fix scan: ✅
govulncheck— GO-2025-3488 (CVE-2025-22868) no longer detectedBreaking Changes
go 1.21→go 1.23.0(required by oauth2 v0.27.0 dependency chain)oauth2package for APIs used in this repositoryVerification Checklist
golang.org/x/oauth2upgraded to v0.27.0go mod vendorupdatedgo build ./...passesRisk Assessment
Low-Medium — oauth2 v0.27.0 is backward compatible for all APIs used in this repo. The
godirective bump to 1.23.0 increases the minimum required Go toolchain but is a necessary side-effect of the CVE fix dependency chain.🤖 Generated by CVE Fixer Workflow