Skip to content

Security fixes, Azure annotation guard, and version command#17

Open
msupinodn wants to merge 1 commit intomainfrom
security-fixes-and-version
Open

Security fixes, Azure annotation guard, and version command#17
msupinodn wants to merge 1 commit intomainfrom
security-fixes-and-version

Conversation

@msupinodn
Copy link
Copy Markdown
Collaborator

@msupinodn msupinodn commented Mar 15, 2026

  • Bump Go from 1.25.0 to 1.25.8 (fixes 8 stdlib CVEs in crypto/tls, crypto/x509, net/url, html/template, os)
  • Bump go.opentelemetry.io/otel/sdk from v1.36.0 to v1.40.0 (fixes CVE-2026-24051 HIGH: arbitrary code execution via PATH hijacking)
  • Fix directory permissions: 0666/os.ModePerm -> 0750 in deploy/deploy.go and topo/node/node.go
  • Harden Dockerfiles: pin base images, add non-root USER, use --no-install-recommends, multi-stage distroless build for wire/forward and webhook
  • Only apply Azure LB annotations on AKS clusters (was unconditional, causing unnecessary 10-min polling on non-Azure setups)
  • Add 'kne version' subcommand with git commit/tag injected via ldflags

Made-with: Cursor

@msupinodn msupinodn force-pushed the security-fixes-and-version branch 2 times, most recently from 49b641e to 2584394 Compare March 15, 2026 13:40
@coveralls
Copy link
Copy Markdown

coveralls commented Mar 15, 2026

Pull Request Test Coverage Report for Build 23111509329

Details

  • 2 of 19 (10.53%) changed or added relevant lines in 5 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage decreased (-0.03%) to 39.441%
Changes Missing Coverage Covered Lines Changed/Added Lines %
topo/node/drivenets/drivenets.go 0 3 0.0%
version/version.go 0 6 0.0%
cmd/root.go 0 8 0.0%
Files with Coverage Reduction New Missed Lines %
cmd/root.go 1 4.73%
Totals Coverage Status
Change from base Build 21798378248: -0.03%
Covered Lines: 4858
Relevant Lines: 12317
💛 - Coveralls

@msupinodn
Security fixes, Azure annotation guard, and version command
43c286b 
- Bump Go from 1.25.0 to 1.25.8 (fixes 8 stdlib CVEs in crypto/tls,
  crypto/x509, net/url, html/template, os)
- Bump go.opentelemetry.io/otel/sdk from v1.36.0 to v1.40.0
  (fixes CVE-2026-24051 HIGH: arbitrary code execution via PATH hijacking)
- Fix directory permissions: 0666/os.ModePerm -> 0750 in deploy/deploy.go
  and topo/node/node.go
- Harden Dockerfiles: pin base images, add non-root USER, use
  --no-install-recommends, multi-stage distroless build for wire/forward
  and webhook
- Only apply Azure LB annotations on AKS clusters (was unconditional,
  causing unnecessary 10-min polling on non-Azure setups)
- Add 'kne version' subcommand with git commit/tag injected via ldflags
- Update CI: Go 1.25, golangci-lint v2 via action v9, inline workflow

Made-with: Cursor
@msupinodn msupinodn force-pushed the security-fixes-and-version branch from 2584394 to 43c286b Compare March 15, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msupinodn @coveralls