Skip to content

fix(deps): bump go_modules security dependencies with lint fixes#688

Open
jeremyeder wants to merge 2 commits intomainfrom
fix/security-deps-with-lint-fixes
Open

fix(deps): bump go_modules security dependencies with lint fixes#688
jeremyeder wants to merge 2 commits intomainfrom
fix/security-deps-with-lint-fixes

Conversation

@jeremyeder
Copy link
Collaborator

@jeremyeder jeremyeder commented Feb 25, 2026

Summary

This PR combines the Dependabot security dependency updates from PR #670 with the lint fixes already in main.

Security Updates

Why This PR

PR #670 was failing lint checks because it was based on an older commit before lint fixes were merged to main. Dependabot could not rebase because the PR was previously edited. This PR merges #670 changes on top of current main.

Closes #670 (supersedes)

🤖 Generated with Claude Code

dependabot bot and others added 2 commits February 24, 2026 03:16
@dependabot
build(deps): bump the go_modules group across 1 directory with 5 updates
54bff0e 
Bumps the go_modules group with 5 updates in the /components/ambient-api-server directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/docker/distribution](https://github.com/docker/distribution) | `2.8.1+incompatible` | `2.8.2+incompatible` |
| [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) | `4.5.0` | `4.5.2` |
| [github.com/jackc/pgproto3/v2](https://github.com/jackc/pgproto3) | `2.3.0` | `2.3.3` |
| [github.com/jackc/pgx/v4](https://github.com/jackc/pgx) | `4.16.0` | `4.18.2` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.41.0` | `0.45.0` |



Updates `github.com/docker/distribution` from 2.8.1+incompatible to 2.8.2+incompatible
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](distribution/distribution@v2.8.1...v2.8.2)

Updates `github.com/golang-jwt/jwt/v4` from 4.5.0 to 4.5.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v4.5.0...v4.5.2)

Updates `github.com/jackc/pgproto3/v2` from 2.3.0 to 2.3.3
- [Commits](jackc/pgproto3@v2.3.0...v2.3.3)

Updates `github.com/jackc/pgx/v4` from 4.16.0 to 4.18.2
- [Changelog](https://github.com/jackc/pgx/blob/v4.18.2/CHANGELOG.md)
- [Commits](jackc/pgx@v4.16.0...v4.18.2)

Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0
- [Commits](golang/crypto@v0.41.0...v0.45.0)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-version: 2.8.2+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-version: 4.5.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/jackc/pgproto3/v2
  dependency-version: 2.3.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/jackc/pgx/v4
  dependency-version: 4.18.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Merge remote-tracking branch 'origin/dependabot/go_modules/components…
79495a3 
…/ambient-api-server/go_modules-b26caf883b' into fix/security-deps-with-lint-fixes
@github-actions
Copy link
Contributor

github-actions bot commented Feb 25, 2026
edited
Loading

Claude Code Review

Summary

PR #688 is a targeted security dependency bump for components/ambient-api-server/go.mod, rebasing Dependabot PR #670 on top of current main to unblock blocked lint checks. The changes are exactly what they should be: updating specific vulnerable Go transitive dependencies with no application logic changes. The PR is well-motivated, minimal, and correctly structured.

Diff scope: 2 files, +32/-28 lines — all in go.mod and go.sum.

Issues by Severity

🚫 Blocker Issues

None.

🔴 Critical Issues

dgrijalva/jwt-go v3.2.0 remains in the dependency graph

# components/ambient-api-server/go.mod (line ~33)
github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect

This package (archived since 2021) carries CVE-2020-26160 (improper aud claim validation allowing auth bypass). Even though it is an indirect dependency and the project also uses golang-jwt/jwt/v4 (now patched to 4.5.2), the vulnerable package remains in the module graph. The root cause is auth0/go-jwt-middleware v0.0.0-20190805220309-36081240882b (also from 2019), which pins the abandoned dgrijalva JWT library.

This PR does not fix or call out this outstanding vulnerability. A follow-up issue/PR should either:

  1. Upgrade or replace auth0/go-jwt-middleware (the auth0/go-jwt-middleware/v2 module dropped the dgrijalva dependency), or
  2. Add a replace directive in go.mod to redirect dgrijalva/jwt-gogolang-jwt/jwt as a stopgap.

🟡 Major Issues

Undocumented transitive dependency updates

The PR body lists 5 updates, but the diff actually bumps 9 packages. The unlisted ones are meaningful version changes, not trivial patch bumps:

Package Old New
jackc/pgconn 1.12.0 1.14.3
jackc/pgtype 1.11.0 1.14.0
jackc/puddle 1.2.1 1.3.0
golang.org/x/net 0.43.0 0.47.0
golang.org/x/text 0.29.0 0.31.0
golang.org/x/sync 0.17.0 0.18.0
golang.org/x/term 0.34.0 0.37.0

These are all desirable updates but reviewers should be aware of them. pgconn 1.14.x in particular has behaviour changes in error handling. Updating the PR description would aid traceability.

🔵 Minor Issues

1. Operator component has outdated golang.org/x packages

This PR correctly fixes ambient-api-server, but scanning the sibling components reveals:

# components/operator/go.mod
golang.org/x/net  v0.38.0   # vs 0.47.0 in this PR
golang.org/x/text v0.23.0   # vs 0.31.0 in this PR

Neither appears to have an active known CVE for the operator's usage, but drift of this magnitude across modules is worth a housekeeping Dependabot sweep.

2. golang.org/x/sys not bumped

golang.org/x/crypto was bumped from 0.41.0 → 0.45.0, but golang.org/x/sys stays at 0.40.0 in ambient-api-server. These are independent packages so there is no strict versioning constraint violation, but it creates a subtle version skew between sibling golang.org/x packages. Low risk, but worth noting.

Positive Highlights

  • Excellent PR rationale: The description clearly explains why this PR exists (Dependabot build(deps): bump the go_modules group across 1 directory with 5 updates #670 could not be rebased because it was manually edited) and what it supersedes. This is the right approach.
  • Right CVEs targeted: The SQL injection vulnerabilities in pgx/v4 (CVE-2024-27289, CVE-2024-27304) and the JWT memory exhaustion advisory (GHSA-mh63-6h87-95cp) are correctly prioritised.
  • Minimal blast radius: Only go.mod and go.sum are touched. No application logic, no config, no manifests.
  • Conventional commit title (fix(deps):) is correct per project standards (CLAUDE.md).
  • go.sum is consistent: All old hashes are removed and new ones added properly — no leftover stale entries.
  • Backend already uses golang-jwt/jwt/v5: The more security-sensitive backend component correctly uses the modern, maintained JWT library rather than the deprecated one.

Recommendations

  1. File a follow-up issue to upgrade auth0/go-jwt-middlewareauth0/go-jwt-middleware/v2 (or replace with a maintained alternative) to eliminate the dgrijalva/jwt-go CVE-2020-26160 from the dependency graph. This is the only remaining security concern.

  2. Update the PR body to list all 9 packages changed (not just the 5 highlighted), so the change is fully traceable for future audits.

  3. Consider a broader Dependabot sweep for components/operator to bring golang.org/x/net and golang.org/x/text up to current — these are now 4+ minor versions behind what the other components use.

Overall verdict: ✅ Approve with follow-up. The security fixes are correct and necessary. The dgrijalva/jwt-go finding should be tracked as a separate issue rather than blocking this PR, since it predates these changes and removing it requires a larger dependency upgrade.

Review generated by Claude Code (claude-sonnet-4-6)

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

  1. CLAUDE.md - Master project instructions, development standards
  2. backend-development.md - Go backend, K8s integration patterns
  3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
  4. security-standards.md - Auth, RBAC, token handling
  5. k8s-client-usage.md - User token vs service account patterns
  6. error-handling.md - Consistent error patterns
  7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

markturansky
markturansky approved these changes Feb 26, 2026
View reviewed changes
Copy link
Contributor

@markturansky markturansky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@markturansky markturansky markturansky approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremyeder @markturansky