chore(deps): update google.golang.org/genproto/googleapis/rpc digest to 87f3d3e - autoclosed

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto/googleapis/rpc	indirect	digest	7ab31c2 → 87f3d3e

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency to a newer version.

Walkthrough

The indirect dependency google.golang.org/genproto/googleapis/rpc in go.mod is bumped from pseudo-version v0.0.0-20260610212136-7ab31c22f7ad to v0.0.0-20260618152121-87f3d3e198d3. No other changes are made.

Changes

Dependency Bump

Layer / File(s)	Summary
genproto/googleapis/rpc indirect bump go.mod	Updates the single indirect requirement google.golang.org/genproto/googleapis/rpc to a newer pseudo-version dated 2026-06-18.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating a Go dependency digest for google.golang.org/genproto/googleapis/rpc.
Description check	✅ Passed	The description is related to the changeset, providing a table of the dependency update with before/after digest values.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 97: Update the OpenTelemetry packages to address critical security
vulnerabilities. In the go.mod file, upgrade go.opentelemetry.io/otel (currently
v1.39.0) and go.opentelemetry.io/otel/sdk (currently v1.39.0) to v1.41.0 or
later to patch CVE-2026-24051 (PATH hijacking in otel/sdk) and CVE-2026-29181
(DoS via baggage header extraction). Run go get -u
go.opentelemetry.io/otel@v1.41.0 and go get -u
go.opentelemetry.io/otel/sdk@v1.41.0 to update both dependencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b5b52a22-e356-458e-b76d-b9cb73f8def0

📥 Commits

Reviewing files that changed from the base of the PR and between eeae2ee and a27b324.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, check the current go.mod file to verify lines 9, 11, 96-97
head -100 go.mod | tail -n +1 | cat -n

Repository: openshift/lightspeed-agentic-operator

Length of output: 5539

---

🏁 Script executed:

#!/bin/bash
# Get specific lines around the mentioned dependencies
sed -n '1,20p' go.mod
echo "---"
sed -n '90,100p' go.mod

Repository: openshift/lightspeed-agentic-operator

Length of output: 1367

---

🌐 Web query:

OpenTelemetry v1.39.0 CVE GHSA-mh2q-q3fh-2475 GO-2026-4394 vulnerabilities

💡 Result:

OpenTelemetry v1.39.0 is affected by two distinct security vulnerabilities documented in early 2026. 1. PATH Hijacking Vulnerability (GO-2026-4394 / CVE-2026-24051) This vulnerability affects the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk) [1][2]. - Details: It allows for Arbitrary Code Execution (ACE) via untrusted search paths (PATH hijacking) on macOS/Darwin systems [3][4]. The issue originates in the resource detection code (sdk/resource/host_id.go), which executes the ioreg system command using an insecure search path [3][4]. - Affected Versions: v1.21.0 through v1.39.0 [3][2]. - Fix: Patched in v1.40.0 [3][2]. 2. Baggage Header Extraction Vulnerability (GHSA-mh2q-q3fh-2475 / CVE-2026-29181) This vulnerability affects the OpenTelemetry Go baggage package (go.opentelemetry.io/otel/baggage) [5][6]. - Details: A remote denial-of-service (DoS) amplification vulnerability exists where multi-value baggage header extraction causes excessive CPU usage and memory allocations [5][7][8]. The parser processes each header value independently and aggregates members, allowing an attacker to bypass per-value parsing limits by sending numerous baggage header lines [5][9]. - Affected Versions: v1.36.0 through v1.40.0 [5][6][8]. - Fix: Patched in v1.41.0 [5][8]. Users running version 1.39.0 are vulnerable to both issues and are advised to upgrade to the latest available version (at least v1.41.0) to address these risks [5][3][8].

Citations:

• 1: https://pkg.go.dev/vuln/GO-2026-4394
• 2: https://go.googlesource.com/vulndb/+/1ce1ea923dd2fd0db2b8e35ca60f25096e9f242c/data/reports/GO-2026-4394.yaml
• 3: GHSA-9h8m-3fm2-qjrq
• 4: https://osv.dev/vulnerability/CVE-2026-24051
• 5: GHSA-mh2q-q3fh-2475
• 6: https://osv.dev/vulnerability/GHSA-mh2q-q3fh-2475
• 7: GHSA-mh2q-q3fh-2475
• 8: https://nvd.nist.gov/vuln/detail/CVE-2026-29181
• 9: https://osv.dev/vulnerability/CVE-2026-29181

---

Upgrade OpenTelemetry packages from v1.39.0 to v1.41.0+; genproto update is safe.

The genproto update on line 97 (pseudo-version bump to 87f3d3e198d3) is routine and safe—no CVEs flagged for this module.

However, the direct dependencies on lines 9 and 11 (go.opentelemetry.io/otel v1.39.0 and go.opentelemetry.io/otel/sdk v1.39.0) are vulnerable to confirmed CVEs:

• CVE-2026-24051 (GO-2026-4394): PATH hijacking/arbitrary code execution in otel/sdk (v1.21.0–v1.39.0, fixed v1.40.0+)
• CVE-2026-29181 (GHSA-mh2q-q3fh-2475): DoS via baggage header extraction (v1.36.0–v1.40.0, fixed v1.41.0+)

Upgrade to v1.41.0 or later to patch both issues. This is a blocking supply chain security concern.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 97, Update the OpenTelemetry packages to address critical
security vulnerabilities. In the go.mod file, upgrade go.opentelemetry.io/otel
(currently v1.39.0) and go.opentelemetry.io/otel/sdk (currently v1.39.0) to
v1.41.0 or later to patch CVE-2026-24051 (PATH hijacking in otel/sdk) and
CVE-2026-29181 (DoS via baggage header extraction). Run go get -u
go.opentelemetry.io/otel@v1.41.0 and go get -u
go.opentelemetry.io/otel/sdk@v1.41.0 to update both dependencies.

Sources: Coding guidelines, Linters/SAST tools

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.