build(deps): bump the golang group across 2 directories with 2 updates by dependabot[bot] · Pull Request #297 · trusted-execution-clusters/operator

dependabot · 2026-06-26T14:22:02Z

Bumps the golang group with 1 update in the / directory: github.com/cert-manager/cert-manager.
Bumps the golang group with 1 update in the /tools/virtctl directory: kubevirt.io/kubevirt.

Updates github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8940, @wallrj-cyberark)

Remove issuer owner reference from challenges blocking challenge garbage collection (#8759, @cert-manager-bot)

Other (Cleanup or Flake)

Bump go to 1.26.3, other deps to fix several govulncheck issues (#8789, @SgtCoDFish)

Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8926, @wallrj-cyberark)

Commits

1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
b352e55 [release-1.20] Update Go to v1.26.4
725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
29ae077 chore(deps): update base images
0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
Additional commits viewable in compare view

Updates kubevirt.io/kubevirt from 1.7.3 to 1.8.4

Release notes

Sourced from kubevirt.io/kubevirt's releases.

v1.8.4

tag v1.8.4 Tagger: Federico Fossemo ffossemo@redhat.com

This release follows v1.8.3 and consists of 31 changes, contributed by 12 people, leading to 60 files changed, 1901 insertions(+), 475 deletions(-).

The source code and selected binaries are available for download at: https://github.com/kubevirt/kubevirt/releases/tag/v1.8.4.

The primary release artifact of KubeVirt is the git tree. The release tag is signed and can be verified using git tag -v v1.8.4.

Pre-built containers are published on Quay and can be viewed at: https://quay.io/kubevirt/.

Notable changes

[PR #17987][Ronilerr] Adding missing metrics, recording rules and alerts for virt components

[PR #17962][UdayYendva] Bump github.com/moby/spdystream from v0.5.0 to v0.5.1 to address CVE-2026-35469 (GHSA-pc3f-x583-g7j2).

[PR #18059][kubevirt-bot] Use --expand-cpu-features and --supported-cpu-features in node-labeller for

[PR #18031][SamAlber] Fixed a gRPC connection leak in virt-handler's GetLauncherClient that caused unbounded memory growth, socket accumulation, and goroutine leaks when multiple controllers raced to create connections for the same VMI.

Contributors

12 people contributed to this release:

6 ronilerr rrabinov@redhat.com 3 Adi Aloni aaloni@redhat.com 2 Samuel Albershtein salbersh@redhat.com 2 bmordeha bmordeha@redhat.com 1 Javier Cano Cano jcanocan@redhat.com 1 Lee Yarwood lyarwood@redhat.com 1 Or Shoval oshoval@redhat.com 1 Oren Cohen ocohen@redhat.com 1 Uday Yendava uyendava@redhat.com 1 fossedihelm ffossemo@redhat.com

Additional Resources

Mailing list: https://groups.google.com/forum/#!forum/kubevirt-dev

Slack: https://kubernetes.slack.com/messages/virtualization

An easy to use demo: https://github.com/kubevirt/demo

How to contribute

License

--- -----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQT336LhfFzgGMwYm4OriYWHZ3eqPAUCai/AYwAKCRCriYWHZ3eq

... (truncated)

Commits

dfaa398 Merge pull request #17901 from dasionov/backport/16759-to-release-1.8
3509dc6 Merge pull request #17662 from kubevirt-bot/cherry-pick-17401-to-release-1.8
85be67f Merge pull request #17987 from Ronilerr/release-1.8-virt-aligment-alerts
dbf6eca Merge pull request #18055 from kubevirt-bot/cherry-pick-17469-to-release-1.8
796e60a Merge pull request #17639 from kubevirt-bot/cherry-pick-17481-to-release-1.8
b14f28a Merge pull request #18056 from kubevirt-bot/cherry-pick-17690-to-release-1.8
94e3b1f Merge pull request #17991 from kubevirt-bot/cherry-pick-17763-to-release-1.8
2719f44 Merge pull request #18078 from kubevirt-bot/cherry-pick-17743-to-release-1.8
3445ac2 Merge pull request #17962 from UdayYendva/release-1.8
6646d1c chore(tests): Add missing virtiofs decorator
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the golang group with 1 update in the / directory: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager). Bumps the golang group with 1 update in the /tools/virtctl directory: [kubevirt.io/kubevirt](https://github.com/kubevirt/kubevirt). Updates `github.com/cert-manager/cert-manager` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/cert-manager/cert-manager/releases) - [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md) - [Commits](cert-manager/cert-manager@v1.20.2...v1.20.3) Updates `kubevirt.io/kubevirt` from 1.7.3 to 1.8.4 - [Release notes](https://github.com/kubevirt/kubevirt/releases) - [Changelog](https://github.com/kubevirt/kubevirt/blob/main/docs/release.md) - [Commits](kubevirt/kubevirt@v1.7.3...v1.8.4) --- updated-dependencies: - dependency-name: github.com/cert-manager/cert-manager dependency-version: 1.20.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: golang - dependency-name: kubevirt.io/kubevirt dependency-version: 1.8.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang ... Signed-off-by: dependabot[bot] <support@github.com>

openshift-ci · 2026-06-26T14:22:13Z

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a trusted-execution-clusters member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Jakob-Naucke · 2026-06-29T09:31:41Z

/ok-to-test

openshift-ci · 2026-06-29T12:02:07Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot], Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 26, 2026

openshift-ci Bot added the needs-ok-to-test label Jun 26, 2026

openshift-ci Bot added ok-to-test and removed needs-ok-to-test labels Jun 29, 2026

Jakob-Naucke approved these changes Jun 29, 2026

View reviewed changes

openshift-ci Bot assigned Jakob-Naucke Jun 29, 2026

openshift-ci Bot added the lgtm label Jun 29, 2026

Jakob-Naucke merged commit 036e89e into main Jun 29, 2026
18 checks passed

Jakob-Naucke deleted the dependabot/go_modules/golang-cc0e88f2bf branch June 29, 2026 12:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump the golang group across 2 directories with 2 updates#297

build(deps): bump the golang group across 2 directories with 2 updates#297
Jakob-Naucke merged 1 commit into
mainfrom
dependabot/go_modules/golang-cc0e88f2bf

dependabot Bot commented on behalf of github Jun 26, 2026

Uh oh!

openshift-ci Bot commented Jun 26, 2026

Uh oh!

Jakob-Naucke commented Jun 29, 2026

Uh oh!

openshift-ci Bot commented Jun 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 26, 2026

v1.20.3

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

v1.8.4

Notable changes

Contributors

Additional Resources

Uh oh!

openshift-ci Bot commented Jun 26, 2026

Uh oh!

Jakob-Naucke commented Jun 29, 2026

Uh oh!

openshift-ci Bot commented Jun 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant