Bump golang.org/x/crypto from 0.48.0 to 0.49.0

[dependabot]

Bumps golang.org/x/crypto from 0.48.0 to 0.49.0.

Commits

• 982eaa6 go.mod: update golang.org/x dependencies
• 159944f ssh,acme: clean up tautological/impossible nil conditions
• a408498 acme: only require prompt if server has terms of service
• cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
• 2f26647 x509roots/fallback: update bundle
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated multiple indirect dependencies to newer versions.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign petr-muller for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Updates six indirect Go module dependencies to newer patch and minor versions: golang.org/x/crypto, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text. No direct dependencies or public APIs are affected.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Bumps six indirect golang.org/x dependencies to newer versions: crypto (v0.48.0→v0.49.0), net (v0.49.0→v0.51.0), sync (v0.19.0→v0.20.0), sys (v0.41.0→v0.42.0), term (v0.40.0→v0.41.0), text (v0.34.0→v0.35.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title specifically mentions bumping golang.org/x/crypto from 0.48.0 to 0.49.0, which is one of multiple dependency upgrades in the changeset. However, the PR actually bumps six Go module dependencies, not just this one, making the title incomplete and misleading about the full scope of changes.	Update the title to reflect all dependencies being bumped, such as 'Bump Go module dependencies (crypto, net, sync, sys, term, text)' or use a more general description like 'Bump golang.org/x indirect dependencies' to accurately represent the comprehensive nature of the changes.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Go Error Handling	✅ Passed	This PR only modifies go.mod to update indirect dependency versions and contains no Go source code changes, making the error handling check not applicable.
Sql Injection Prevention	✅ Passed	This PR contains only Go module dependency version updates in go.mod with no SQL code, database functionality, or query construction present in the repository.
React: Use Styled Components For Excessive Css	✅ Passed	The custom check for React StyledComponents usage is not applicable to this PR, which exclusively updates Go module versions in go.mod without modifying any React components, inline CSS, or JavaScript/TypeScript code.
Single Responsibility And Clear Naming	✅ Passed	This PR exclusively updates Go module dependency versions with no source code changes, making the code quality naming check inapplicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/go_modules/golang.org/x/crypto-0.49.0

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 17: go.mod declares Go 1.25.0 but Dockerfile.buildroot installs "go"
without a version pin; update Dockerfile.buildroot to explicitly install Go 1.25
(or later) to match go.mod and the golang.org/x/crypto v0.49.0 dependency.
Modify the Dockerfile.buildroot installation step that currently runs "dnf
install -y git go make npm" to either install the distro package that provides
golang-1.25 (or a module name like golang-1.25 if available) or download and
install the official Go 1.25 tarball and set GOROOT/GOPATH accordingly; ensure
the change targets the Dockerfile.buildroot ADD/INSTALL step and any build
scripts that assume "go" so the container uses Go 1.25 at build time.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 77de8b9e-0ba9-4a52-bd40-a28ecbc90aca

📥 Commits

Reviewing files that changed from the base of the PR and between a8dfbd8 and 8ca8ed0.

⛔ Files ignored due to path filters (14)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**
• vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !vendor/**
• vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/aliases.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**
• vendor/modules.txt is excluded by !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only check for Go version pins in common CI/build configs.
fd -H 'go.mod|Dockerfile|Dockerfile.*|.*\.ya?ml|Makefile' . \
  | xargs -r rg -n -C2 '(^go 1\.)|(golang:1\.)|(setup-go)|(GO_VERSION)|(go-version)'

Repository: openshift-eng/ship-status-dash

Length of output: 1193

---

🏁 Script executed:

#!/bin/bash
# Search for CI/workflow configuration more specifically
echo "=== Searching .github/workflows/ for Go version pins ==="
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | xargs -r rg -n -C2 'go.*1\.[0-9]+|golang:[0-9]+\.[0-9]+' 2>/dev/null || echo "No .github/workflows found or no matches"

echo -e "\n=== Checking for other CI configs ==="
fd -H '\.circleci|\.gitlab-ci|jenkins|\.travis\.yml|\.drone\.yml' . 2>/dev/null | head -20

echo -e "\n=== Listing all non-vendor config files at repo root ==="
find . -maxdepth 1 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "Dockerfile*" -o -name "Makefile" \) 2>/dev/null | grep -v vendor

echo -e "\n=== Confirming go.mod content ==="
head -5 go.mod

Repository: openshift-eng/ship-status-dash

Length of output: 947

---

🏁 Script executed:

#!/bin/bash
# Check key config files for Go version pins
echo "=== Dockerfile.buildroot content ==="
cat ./Dockerfile.buildroot

echo -e "\n=== Makefile content (limited to key lines) ==="
head -50 ./Makefile

echo -e "\n=== .golangci.yml content ==="
cat ./.golangci.yml

Repository: openshift-eng/ship-status-dash

Length of output: 2941

---

Pin Go version in Dockerfile.buildroot to match go.mod requirement.

The go.mod declares Go 1.25.0 (line 3), but Dockerfile.buildroot installs Go without a version pin (dnf install -y git go make npm). UBI 9 default repositories do not provide Go 1.25—this will cause the build to fail or use an incompatible Go version. Update the Dockerfile to explicitly install Go 1.25 (or later) to align with the golang.org/x/crypto v0.49.0 dependency and the module's declared version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 17, go.mod declares Go 1.25.0 but Dockerfile.buildroot
installs "go" without a version pin; update Dockerfile.buildroot to explicitly
install Go 1.25 (or later) to match go.mod and the golang.org/x/crypto v0.49.0
dependency. Modify the Dockerfile.buildroot installation step that currently
runs "dnf install -y git go make npm" to either install the distro package that
provides golang-1.25 (or a module name like golang-1.25 if available) or
download and install the official Go 1.25 tarball and set GOROOT/GOPATH
accordingly; ensure the change targets the Dockerfile.buildroot ADD/INSTALL step
and any build scripts that assume "go" so the container uses Go 1.25 at build
time.