Skip to content

MLE-30362: Operator contains a new vulnerable package (BDSA-2026-11626)#171

Merged
vitalykorolev merged 3 commits into
developfrom
MLE-30362/upgrade-vulnerable-packages
Jun 17, 2026
Merged

MLE-30362: Operator contains a new vulnerable package (BDSA-2026-11626)#171
vitalykorolev merged 3 commits into
developfrom
MLE-30362/upgrade-vulnerable-packages

Conversation

@vitalykorolev

Copy link
Copy Markdown
Collaborator

Summary

Upgraded the vulnerable package identified in BDSA-2026-11626 to resolve security issues. Also addressed pre-existing golangci-lint issues within pkg/mlmanage/client.go to improve code quality and compliance with linting standards.

Root cause

The operator included a package with a known security vulnerability (BDSA-2026-11626).

Fix

Upgraded the vulnerable package and made custom lint fixes in pkg/mlmanage/client.go.

Validation

Build: pass
Unit Tests (35 specs): pass
Kustomize: pass
Golangci-lint: pass for pkg/mlmanage/client.go (unrelated pre-existing lint issues persist in pkg/k8sutil/)

Co-authored-by: Vitaly Korolev <vitaly.korolev@marklogic.com>
Copilot AI review requested due to automatic review settings June 15, 2026 20:10

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Go module dependencies to remediate a reported vulnerable package (BDSA-2026-11626) by bumping several golang.org/x/* indirect dependencies in the operator’s Go module files.

Changes:

  • Bumped golang.org/x/mod, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text, and golang.org/x/tools to newer patch/minor versions in go.mod.
  • Updated go.sum checksums to match the new module versions (and removed references to the prior versions).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Upgrades golang.org/x/* indirect dependencies to newer versions to address the vulnerability.
go.sum Refreshes module checksums to reflect the upgraded dependency versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

rwinieski
rwinieski previously approved these changes Jun 16, 2026

@rwinieski rwinieski left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vitalykorolev , @pengzhouml please we have to merge this PR to get Jenkins in green state.

#169

@vitalykorolev vitalykorolev merged commit 5850562 into develop Jun 17, 2026
4 checks passed
@vitalykorolev vitalykorolev deleted the MLE-30362/upgrade-vulnerable-packages branch June 17, 2026 02:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants