NO-ISSUE: Synchronize From Upstream Repositories

[openshift-bot]

The staging/ and vendor/ directories have been synchronized from the upstream repositories, pulling in the following commits:

Date	Commit	Author	Message
2026-04-29 15:21:34	operator-framework/operator-lifecycle-manager@02c6b44	dependabot[bot]	🌱 Bump github.com/operator-framework/operator-registry (#3819)
2026-04-29 15:43:48	operator-framework/operator-lifecycle-manager@06b8e70	dependabot[bot]	🌱 Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.2 (#3818)
2026-03-30 17:53:53	operator-framework/operator-registry@7cd3ded	Francesco Giudici	Add fgiudici as reviewer (#1943)
2026-03-31 12:46:34	operator-framework/operator-registry@e174783	dependabot[bot]	Bump github.com/mattn/go-sqlite3 from 1.14.37 to 1.14.38 (#1944)
2026-04-02 19:10:56	operator-framework/operator-registry@80b5294	dependabot[bot]	Bump google.golang.org/grpc from 1.79.3 to 1.80.0 (#1945)
2026-04-03 15:34:25	operator-framework/operator-registry@819a5ef	Jordan Keister	substitutes template protects against reuse of base/candidate in same template (#1942)
2026-04-03 15:59:09	operator-framework/operator-registry@e98c3a3	dependabot[bot]	Bump github.com/maxbrunsfeld/counterfeiter/v6 from 6.12.1 to 6.12.2 (#1946)
2026-04-07 09:17:54	operator-framework/operator-registry@93adf40	dependabot[bot]	Bump go.podman.io/common from 0.67.0 to 0.67.1 (#1949)
2026-04-13 11:32:04	operator-framework/operator-registry@f0110e5	dependabot[bot]	Bump github.com/docker/cli (#1953)
2026-04-13 11:37:36	operator-framework/operator-registry@afe9210	dependabot[bot]	Bump github.com/grpc-ecosystem/grpc-health-probe from 0.4.47 to 0.4.48 (#1952)
2026-04-13 11:40:25	operator-framework/operator-registry@17b1d05	dependabot[bot]	Bump github.com/mattn/go-sqlite3 from 1.14.38 to 1.14.42 (#1956)
2026-04-13 11:48:42	operator-framework/operator-registry@d7bc697	dependabot[bot]	Bump github.com/distribution/distribution/v3 from 3.0.0 to 3.1.0 (#1951)
2026-04-13 11:51:25	operator-framework/operator-registry@fa8d809	dependabot[bot]	Bump the golang-x-deps group across 1 directory with 3 updates (#1957)
2026-04-14 08:53:03	operator-framework/operator-registry@b0a9c7c	Jordan Keister	update owners (#1958)
2026-04-15 09:54:33	operator-framework/operator-registry@f2e278c	dependabot[bot]	Bump github.com/containerd/containerd from 1.7.30 to 1.7.31 (#1959)
2026-04-15 19:11:10	operator-framework/operator-registry@2c26996	Joe Lanford	fix: hex-encode OCI layout image name to avoid validation errors (#1954)
2026-04-16 06:59:50	operator-framework/operator-registry@12f8cdd	dependabot[bot]	Bump the k8s-dependencies group with 4 updates (#1960)
2026-04-21 13:36:20	operator-framework/operator-registry@65110ac	dependabot[bot]	Bump github.com/docker/cli (#1962)
2026-04-21 13:39:06	operator-framework/operator-registry@3855305	Jordan Keister	prune unused dockerfiles & build targets (#1961)

This pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.

/assign @openshift/openshift-team-operator-runtime

[openshift-ci-robot]

@openshift-bot: This pull request explicitly references no jira issue.

Details

In response to this:

The staging/ and vendor/ directories have been synchronized from the upstream repositories, pulling in the following commits:

Date	Commit	Author	Message
2026-04-29 15:21:34	operator-framework/operator-lifecycle-manager@02c6b44	dependabot[bot]	🌱 Bump github.com/operator-framework/operator-registry (#3819)
2026-04-29 15:43:48	operator-framework/operator-lifecycle-manager@06b8e70	dependabot[bot]	🌱 Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.2 (#3818)
2026-03-30 17:53:53	operator-framework/operator-registry@7cd3ded	Francesco Giudici	Add fgiudici as reviewer (#1943)
2026-03-31 12:46:34	operator-framework/operator-registry@e174783	dependabot[bot]	Bump github.com/mattn/go-sqlite3 from 1.14.37 to 1.14.38 (#1944)
2026-04-02 19:10:56	operator-framework/operator-registry@80b5294	dependabot[bot]	Bump google.golang.org/grpc from 1.79.3 to 1.80.0 (#1945)
2026-04-03 15:34:25	operator-framework/operator-registry@819a5ef	Jordan Keister	substitutes template protects against reuse of base/candidate in same template (#1942)
2026-04-03 15:59:09	operator-framework/operator-registry@e98c3a3	dependabot[bot]	Bump github.com/maxbrunsfeld/counterfeiter/v6 from 6.12.1 to 6.12.2 (#1946)
2026-04-07 09:17:54	operator-framework/operator-registry@93adf40	dependabot[bot]	Bump go.podman.io/common from 0.67.0 to 0.67.1 (#1949)
2026-04-13 11:32:04	operator-framework/operator-registry@f0110e5	dependabot[bot]	Bump github.com/docker/cli (#1953)
2026-04-13 11:37:36	operator-framework/operator-registry@afe9210	dependabot[bot]	Bump github.com/grpc-ecosystem/grpc-health-probe from 0.4.47 to 0.4.48 (#1952)
2026-04-13 11:40:25	operator-framework/operator-registry@17b1d05	dependabot[bot]	Bump github.com/mattn/go-sqlite3 from 1.14.38 to 1.14.42 (#1956)
2026-04-13 11:48:42	operator-framework/operator-registry@d7bc697	dependabot[bot]	Bump github.com/distribution/distribution/v3 from 3.0.0 to 3.1.0 (#1951)
2026-04-13 11:51:25	operator-framework/operator-registry@fa8d809	dependabot[bot]	Bump the golang-x-deps group across 1 directory with 3 updates (#1957)
2026-04-14 08:53:03	operator-framework/operator-registry@b0a9c7c	Jordan Keister	update owners (#1958)
2026-04-15 09:54:33	operator-framework/operator-registry@f2e278c	dependabot[bot]	Bump github.com/containerd/containerd from 1.7.30 to 1.7.31 (#1959)
2026-04-15 19:11:10	operator-framework/operator-registry@2c26996	Joe Lanford	fix: hex-encode OCI layout image name to avoid validation errors (#1954)
2026-04-16 06:59:50	operator-framework/operator-registry@12f8cdd	dependabot[bot]	Bump the k8s-dependencies group with 4 updates (#1960)
2026-04-21 13:36:20	operator-framework/operator-registry@65110ac	dependabot[bot]	Bump github.com/docker/cli (#1962)
2026-04-21 13:39:06	operator-framework/operator-registry@3855305	Jordan Keister	prune unused dockerfiles & build targets (#1961)

This pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.

/assign @openshift/openshift-team-operator-runtime

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This pull request updates Go module dependencies across the codebase to newer versions, removes two Dockerfiles and a Makefile target, adds validation for substitution template input uniqueness, implements OCI layout reference encoding for image name safety, and extends test coverage with new test cases and test data.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod, staging/operator-lifecycle-manager/go.mod, staging/operator-registry/go.mod	Updated versions for multiple direct and indirect dependencies including grpc-health-probe, ginkgo/v2, operator-registry, containerd, docker/cli, grpc-gateway, OpenTelemetry components, and Kubernetes modules.
Build Configuration staging/operator-registry/Makefile, staging/operator-registry/OWNERS, staging/operator-registry/registry.Dockerfile, staging/operator-registry/upstream-opm-builder.Dockerfile	Removed image-upstream Makefile target, updated OWNERS reviewers list (removed anik120, added fgiudici), and deleted two Dockerfile definitions.
Substitution Validation staging/operator-registry/alpha/template/substitutes/substitutes.go, staging/operator-registry/alpha/template/substitutes/substitutes_test.go	Added validation in Render() to ensure substitution bases and names are not reused across substitutions, including error handling and test cases for duplicate base and duplicate name-base mappings.
OCI Layout Reference Encoding staging/operator-registry/pkg/image/containersimageregistry/registry.go	Added layoutKey() helper function to hex-encode image reference strings for OCI layout safety, updating Pull(), Unpack(), and Labels() methods to use encoded keys.
Test Enhancements staging/operator-registry/pkg/image/registry_test.go, staging/operator-registry/pkg/image/testdata/golden/docker/registry/v2/repositories/olmtest/kiali/_manifests/tags/1.4__2/...	Extended test matrix with "by tag" scenario using double-underscore tag (1.4__2), and added corresponding test data manifest link files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'NO-ISSUE: Synchronize From Upstream Repositories' accurately describes the primary purpose of this PR, which is to synchronize the staging and vendor directories from upstream repositories with multiple upstream commits.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The pull request does not introduce any Ginkgo tests; modified test files use the standard Go testing package.
Test Structure And Quality	✅ Passed	The custom check is designed for Ginkgo test code, but this PR modifies only standard Go testing framework tests, making the check not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies only unit tests (substitutes_test.go, registry_test.go) using testify/require, not Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not introduce Ginkgo e2e tests; test files are Go standard library unit tests within operator-registry component, not SNO-impacting e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only dependency updates, build cleanup, and internal library improvements with no scheduling constraints affecting OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	Pull request contains dependency updates and localized code changes to validation and utility functions that do not introduce stdout writes in process-level code, maintaining OTE Binary Stdout Contract compliance.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test modifications in substitutes_test.go and registry_test.go are standard Go unit tests using testing.T framework, not Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: openshift-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: openshift-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@staging/operator-registry/go.mod`:
- Around line 184-201: Multiple OpenTelemetry modules pinned to v1.42.0 (notably
go.opentelemetry.io/otel/sdk v1.42.0 and other entries with v1.42.0) are
vulnerable; update every occurrence of packages currently at v1.42.0 (e.g.,
go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk/metric,
go.opentelemetry.io/otel/trace) to v1.43.0 or later in the go.mod entries; run
go mod tidy and vendor (if used) and verify build/tests to ensure no breakage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ff00f974-474b-452b-84b5-f62488c0ed26

📥 Commits

Reviewing files that changed from the base of the PR and between 9941db6 and 124fd13.

⛔ Files ignored due to path filters (70)

• go.sum is excluded by !**/*.sum
• staging/operator-lifecycle-manager/go.sum is excluded by !**/*.sum
• staging/operator-registry/go.sum is excluded by !**/*.sum
• vendor/github.com/containerd/containerd/archive/tar_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/containerd/containerd/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/docker/cli/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/asymmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/mux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-health-probe/Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-sqlite3/sqlite3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-sqlite3/sqlite3_opt_vtable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-sqlite3/sqlite3_sql.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/operator-framework/operator-registry/alpha/template/substitutes/substitutes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/operator-framework/operator-registry/pkg/image/containersimageregistry/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/observ/instrumentation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/httpconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

• go.mod
• staging/operator-lifecycle-manager/go.mod
• staging/operator-registry/Makefile
• staging/operator-registry/OWNERS
• staging/operator-registry/alpha/template/substitutes/substitutes.go
• staging/operator-registry/alpha/template/substitutes/substitutes_test.go
• staging/operator-registry/go.mod
• staging/operator-registry/pkg/image/containersimageregistry/registry.go
• staging/operator-registry/pkg/image/registry_test.go
• staging/operator-registry/pkg/image/testdata/golden/docker/registry/v2/repositories/olmtest/kiali/_manifests/tags/1.4__2/current/link
• staging/operator-registry/pkg/image/testdata/golden/docker/registry/v2/repositories/olmtest/kiali/_manifests/tags/1.4__2/index/sha256/a1bec450c104ceddbb25b252275eb59f1f1e6ca68e0ced76462042f72f7057d8/link
• staging/operator-registry/registry.Dockerfile
• staging/operator-registry/upstream-opm-builder.Dockerfile

💤 Files with no reviewable changes (3)

• staging/operator-registry/Makefile
• staging/operator-registry/upstream-opm-builder.Dockerfile
• staging/operator-registry/registry.Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Current staged otel sdk pin:"
rg -n 'go\.opentelemetry\.io/otel/sdk v' staging/operator-registry/go.mod

echo
echo "OSV affected/fixed events for GHSA-hfvc-g4fc-pqhx:"
python - <<'PY'
import json, urllib.request
url = "https://api.osv.dev/v1/vulns/GHSA-hfvc-g4fc-pqhx"
data = json.load(urllib.request.urlopen(url))
for a in data.get("affected", []):
    if a.get("package", {}).get("name") == "go.opentelemetry.io/otel/sdk":
        for r in a.get("ranges", []):
            if r.get("type") == "SEMVER":
                print(r.get("events", []))
PY

Repository: openshift/operator-framework-olm

Length of output: 2811

---

🌐 Web query:

GHSA-hfvc-g4fc-pqhx OpenTelemetry SDK vulnerability

💡 Result:

GHSA-hfvc-g4fc-pqhx is a high-severity vulnerability (CVSS 7.3) in the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk), also tracked as CVE-2026-39883. It is an incomplete fix for the prior GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), which addressed PATH hijacking on Darwin/macOS by using an absolute path for the 'ioreg' command. This vulnerability affects BSD and Solaris platforms (DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris). In sdk/resource/host_id.go, the code executes 'kenv -q smbios.system.uuid' without an absolute path when /etc/hostid does not exist (common on FreeBSD). The exec.Command("kenv", ...) searches $PATH, allowing a local attacker to place a malicious 'kenv' binary earlier in PATH, leading to arbitrary code execution in the application's context during OpenTelemetry resource detection at startup. Affected versions: >=1.15.0 and <=1.42.0. Patched in: 1.43.0 (released 2026-04-03), which uses "/bin/kenv" absolute path. Confirmed in release notes: "WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)". CWE-426: Untrusted Search Path. Attack requires local access to modify PATH or place executable. Upgrade to go.opentelemetry.io/otel/sdk v1.43.0 or later. Official advisory: GHSA-hfvc-g4fc-pqhx. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39883.

Citations:

• 1: GHSA-hfvc-g4fc-pqhx
• 2: GHSA-hfvc-g4fc-pqhx
• 3: https://osv.dev/vulnerability/GHSA-hfvc-g4fc-pqhx
• 4: https://nvd.nist.gov/vuln/detail/CVE-2026-39883
• 5: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0
• 6: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

---

🏁 Script executed:

rg 'go\.opentelemetry\.io.*v1\.42\.0' staging/operator-registry/go.mod

Repository: openshift/operator-framework-olm

Length of output: 900

---

Upgrade vulnerable OpenTelemetry SDK version to patch arbitrary code execution vulnerability.

go.opentelemetry.io/otel/sdk v1.42.0 is affected by GHSA-hfvc-g4fc-pqhx (CVE-2026-39883), a high-severity vulnerability allowing arbitrary code execution via PATH hijacking on BSD/Solaris platforms. Upgrade all OpenTelemetry packages at v1.42.0 to v1.43.0 or later.

Version upgrade changes

-	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 // indirect
-	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go.opentelemetry.io/otel v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/prometheus v0.64.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 // indirect
	go.opentelemetry.io/otel/log v0.18.0 // indirect
	go.opentelemetry.io/otel/metric v1.42.0 // indirect
	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
	go.opentelemetry.io/otel/sdk/log v0.18.0 // indirect
	go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
	go.opentelemetry.io/otel/trace v1.42.0 // indirect
	go.opentelemetry.io/otel v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/prometheus v0.64.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.18.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 // indirect
	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 // indirect
	go.opentelemetry.io/otel/log v0.18.0 // indirect
	go.opentelemetry.io/otel/metric v1.43.0 // indirect
	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
	go.opentelemetry.io/otel/sdk/log v0.18.0 // indirect
	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
	go.opentelemetry.io/otel/trace v1.43.0 // indirect

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 196-196: go.opentelemetry.io/otel/sdk 1.42.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@staging/operator-registry/go.mod` around lines 184 - 201, Multiple
OpenTelemetry modules pinned to v1.42.0 (notably go.opentelemetry.io/otel/sdk
v1.42.0 and other entries with v1.42.0) are vulnerable; update every occurrence
of packages currently at v1.42.0 (e.g., go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp,
go.opentelemetry.io/otel/exporters/otlp/otlptrace,
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk/metric,
go.opentelemetry.io/otel/trace) to v1.43.0 or later in the go.mod entries; run
go mod tidy and vendor (if used) and verify build/tests to ensure no breakage.

[grokspawn]

/retest

[openshift-ci]

@openshift-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[perdasilva]

/verified by @perdasilva

[openshift-ci-robot]

@perdasilva: This PR has been marked as verified by @perdasilva.

Details

In response to this:

/verified by @perdasilva

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.