Skip to content

fix: update golang.org/x/oauth2 to v0.27.0#806

Open
henschwartz wants to merge 2 commits intokubeflow:notebooks-v1from
henschwartz:security-update-golang-x-oauth2-v0_27_0
Open

fix: update golang.org/x/oauth2 to v0.27.0#806
henschwartz wants to merge 2 commits intokubeflow:notebooks-v1from
henschwartz:security-update-golang-x-oauth2-v0_27_0

Conversation

@henschwartz
Copy link

@henschwartz henschwartz commented Dec 15, 2025

Fixes CVE-2025-22868

This PR updates golang.org/x/oauth2 from v0.0.0-20210819190943-2bc19b11175f
to v0.27.0 to address security vulnerabilities identified in the v1.11 release scan.

Changes:

  • Updated golang.org/x/oauth2 to v0.27.0
  • Updated github.com/google/go-cmp to v0.5.9 (dependency of oauth2)
  • Removed google.golang.org/appengine (no longer required)
  • Ran go mod tidy to update dependencies
  • Verified build succeeds with go build

Related: #780

@github-project-automation github-project-automation bot moved this to Needs Triage in Kubeflow Notebooks Dec 15, 2025
@google-oss-prow google-oss-prow bot added the area/controller area - related to controller components label Dec 15, 2025
@google-oss-prow
Copy link

google-oss-prow bot commented Dec 15, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign thesuperzapper for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot added area/v1 area - version - kubeflow notebooks v1 size/S labels Dec 15, 2025
@henschwartz
Copy link
Author

henschwartz commented Dec 15, 2025

image

tests:
https://github.com/kubeflow/notebooks/actions/runs/20237597330/job/58096400451?pr=806
https://github.com/kubeflow/notebooks/actions/runs/20237597559/job/58096401136?pr=806
https://github.com/kubeflow/notebooks/actions/runs/20237597275/job/58096400473?pr=806

image

fix: update golang.org/x/oauth2 to v0.27.0
e0b92b8 
Fixes CVE-2025-22868

This PR updates golang.org/x/oauth2 from v0.0.0-20210819190943-2bc19b11175f
to v0.27.0 to address security vulnerabilities identified in the v1.11 release scan.

Changes:
- Updated golang.org/x/oauth2 to v0.27.0
- Updated github.com/google/go-cmp to v0.5.9 (dependency of oauth2)
- Removed google.golang.org/appengine (no longer required)
- Ran go mod tidy to update dependencies
- Verified build succeeds with go build

Related: kubeflow#780 (PR 3)
Signed-off-by: Hen Schwartz <hschwart@hschwart-thinkpadp1gen7.raanaii.csb>
@henschwartz henschwartz force-pushed the security-update-golang-x-oauth2-v0_27_0 branch from f9d7d99 to e0b92b8 Compare January 14, 2026 09:35
Merge remote-tracking branch 'upstream/notebooks-v1' into security-up…
97847a5 
…date-golang-x-oauth2-v0_27_0

Signed-off-by: Hen Schwartz <hschwart@hschwart-thinkpadp1gen7.raanaii.csb>

# Conflicts:
#	components/notebook-controller/go.mod
@andyatmiami
Copy link
Contributor

andyatmiami commented Jan 30, 2026

/ok-to-test

andyatmiami
andyatmiami suggested changes Jan 30, 2026
View reviewed changes
Copy link
Contributor

@andyatmiami andyatmiami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@henschwartz - thanks for your patience and sorry its taken so long for me to turn attention back to this PR!

I realize this is a wildly trivial change - but just to be safe/proper - can you rebase this PR on the latest of notebooks-v1 branch so I can test it in conjunction with other dependency updates that have been merged

This is the next (and i think last!) notebook-controller PR I am focusing on - so I DO NOT expect to need to ask you for any further rebases.

ℹ️ Please make sure to rebase this PR (not pull in merge commits, etc). Ideally there should just be a single commit with your changes on this branch

THANKS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper

1 more reviewer

@andyatmiami andyatmiami andyatmiami requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@andyatmiami andyatmiami

Labels

area/controller area - related to controller components area/v1 area - version - kubeflow notebooks v1 ok-to-test size/S

Projects

Kubeflow Notebooks
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henschwartz @andyatmiami