This repository was archived by the owner on Sep 23, 2025. It is now read-only.
Manually upgrade github.com/open-policy-agent/opa -> v1.4.0 #185
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR bumps the github.com/open-policy-agent/opa indirect dependency from v1.1.0 to v1.4.0 (manually overriding the minimum version selected by Go modules) and updates several other indirect module versions to their latest patch releases.
- Manually override OPA to v1.4.0 to address advisory GHSA-6m8w-jc87-6cr7
- Update grpc, grpc-gateway, otelhttp, opencontainers/image-spec, and other indirect dependencies
- Added newer indirect modules pulled in by transitive dependencies
Comments suppressed due to low confidence (2)
go.mod:224
- [nitpick] Add a brief comment above the OPA require line linking to the advisory (GHSA-6m8w-jc87-6cr7) or PR description to clarify why this indirect dependency is being overridden.
- github.com/open-policy-agent/opa v1.1.0 // indirect
go.mod:1
- Run
go mod tidyafter these changes to prune any unused indirect dependencies and ensure the module file is clean.
module github.com/your/repo
| github.com/oklog/ulid v1.3.1 // indirect | ||
| github.com/open-policy-agent/opa v1.1.0 // indirect | ||
| github.com/olekukonko/tablewriter v0.0.5 // indirect | ||
| github.com/open-policy-agent/opa v1.4.0 // indirect |
There was a problem hiding this comment.
Consider upgrading OPA to the latest supported patch release (v1.4.2) instead of v1.4.0 to include all bug fixes and stay aligned with cosign's supported range.
Suggested change
| github.com/open-policy-agent/opa v1.4.0 // indirect | |
| github.com/open-policy-agent/opa v1.4.2 // indirect |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OPA v1.1.0 is pulled in as an indirect dependency through cosign v2.5.0, which actually supports up to v1.4.2. The version downgrade occurs because this fork also includes sigstore/policy-controller as a module, and policy-controller has not upgraded its OPA dependency from v1.1.0. Go's module resolution selects v1.1.0 as the minimum version that satisfies both cosign's and policy-controller's requirements.
Manually bumping this due to GHSA-6m8w-jc87-6cr7 even though it does not affect this repository. The advisory is only relevant when OPA is deployed as a standalone server.