Merge pull request #818 from crossplane/renovate/main-go-golang.org-x-oauth2-vulnerability

chore(deps): update module golang.org/x/oauth2 to v0.27.0 [security] (main)

.golangci.yml

@@ -10,11 +10,11 @@ output:
 linters:
   enable-all: true
   fast: false
-  
+
   disable:
     # These linters are all deprecated. We disable them explicitly to avoid the
     # linter logging deprecation warnings.
-    - execinquery
+    - tenv
 
     # These are linters we'd like to enable, but that will be labor intensive to
     # make existing code compliant.
@@ -23,7 +23,6 @@ linters:
     - testpackage
     - paralleltest
     - nilnil
-    - gomnd
 
     # Below are linters that lint for things we don't value. Each entry below
     # this line must have a comment explaining the rationale.
@@ -31,7 +30,7 @@ linters:
     # These linters add whitespace in an attempt to make code more readable.
     # This isn't a widely accepted Go best practice, and would be laborious to
     # apply to existing code.
-    - wsl 
+    - wsl
     - nlreturn
 
     # Warns about uses of fmt.Sprintf that are less performant than alternatives
@@ -83,7 +82,7 @@ linters:
     # Warns about returning interfaces rather than concrete types. We do think
     # it's best to avoid returning interfaces where possible. However, at the
     # time of writing enabling this linter would only catch the (many) cases
-    # where we must return an interface. 
+    # where we must return an interface.
     - ireturn
 
     # Warns about returning named variables. We do think it's best to avoid
@@ -94,10 +93,6 @@ linters:
     # to communicate what the bool means.
     - nonamedreturns
 
-    # Warns about taking the address of a range variable. This isn't an issue in
-    # Go v1.22 and above: https://tip.golang.org/doc/go1.22
-    - exportloopref
-
     # Warns about using magic numbers. We do think it's best to avoid magic
     # numbers, but we should not be strict about it.
     - mnd
@@ -189,7 +184,7 @@ linters-settings:
   nolintlint:
     require-explanation: true
     require-specific: true
-  
+
   depguard:
     rules:
       no_third_party_test_libraries:
@@ -206,12 +201,17 @@ linters-settings:
 
   interfacebloat:
     max: 5
-  
+
   tagliatelle:
     case:
       rules:
         json: goCamel
 
+  recvcheck:
+    exclusions:
+    - "*.DeepCopy" # DeepCopy* methods are generated and always use a pointer receiver, which may conflict with other methods for a given type.
+    - "*.DeepCopyInto"
+
 issues:
   # Excluding generated files.
   exclude-files:
@@ -237,7 +237,7 @@ issues:
       text: "(unnamedResult|exitAfterDefer)"
       linters:
         - gocritic
-    
+
     # It's idiomatic to register Kubernetes types with a package scoped
     # SchemeBuilder using an init function.
     - path: apis/
@@ -282,7 +282,7 @@ issues:
       linters:
       - gosec
       - gas
-    
+
     # Some k8s dependencies do not have JSON tags on all fields in structs.
     - path: k8s.io/
       linters:

Earthfile

@@ -3,7 +3,7 @@ VERSION --try --raw-output 0.8
 
 PROJECT crossplane/crossplane-runtime
 
-ARG --global GO_VERSION=1.22.3
+ARG --global GO_VERSION=1.23.7
 
 # reviewable checks that a branch is ready for review. Run it before opening a
 # pull request. It will catch a lot of the things our CI workflow will catch.
@@ -102,7 +102,7 @@ go-test:
 
 # go-lint lints Go code.
 go-lint:
-  ARG GOLANGCI_LINT_VERSION=v1.59.0
+  ARG GOLANGCI_LINT_VERSION=v1.64.8
   FROM +go-modules
   # This cache is private because golangci-lint doesn't support concurrent runs.
   CACHE --id go-lint --sharing private /root/.cache/golangci-lint

go.mod

@@ -1,8 +1,8 @@
 module github.com/crossplane/crossplane-runtime
 
-go 1.22.0
+go 1.23.0
 
-toolchain go1.22.3
+toolchain go1.23.7
 
 require (
 	dario.cat/mergo v1.0.1
@@ -68,7 +68,7 @@ require (
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect

go.sum

@@ -152,8 +152,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

pkg/fieldpath/paved.go

@@ -28,11 +28,11 @@ import (
 // DefaultMaxFieldPathIndex is the max allowed index in a field path.
 const DefaultMaxFieldPathIndex = 1024
 
-type errNotFound struct {
+type notFoundError struct {
 	error
 }
 
-func (e errNotFound) IsNotFound() bool {
+func (e notFoundError) IsNotFound() bool {
 	return true
 }
 
@@ -75,9 +75,9 @@ func Pave(object map[string]any, opts ...PavedOption) *Paved {
 }
 
 // WithMaxFieldPathIndex returns a PavedOption that sets the max allowed index for field paths, 0 means no limit.
-func WithMaxFieldPathIndex(max uint) PavedOption {
+func WithMaxFieldPathIndex(maxIndex uint) PavedOption {
 	return func(paved *Paved) {
-		paved.maxFieldPathIndex = max
+		paved.maxFieldPathIndex = maxIndex
 	}
 }
 
@@ -121,8 +121,8 @@ func getValueFromInterface(it any, s Segments) (any, error) {
 			if !ok {
 				return nil, errors.Errorf("%s: not an array", s[:i])
 			}
-			if int(current.Index) >= len(array) {
-				return nil, errNotFound{errors.Errorf("%s: no such element", s[:i+1])}
+			if current.Index >= uint(len(array)) {
+				return nil, notFoundError{errors.Errorf("%s: no such element", s[:i+1])}
 			}
 			if final {
 				return array[current.Index], nil
@@ -133,14 +133,14 @@ func getValueFromInterface(it any, s Segments) (any, error) {
 			case map[string]any:
 				v, ok := object[current.Field]
 				if !ok {
-					return nil, errNotFound{errors.Errorf("%s: no such field", s[:i+1])}
+					return nil, notFoundError{errors.Errorf("%s: no such field", s[:i+1])}
 				}
 				if final {
 					return v, nil
 				}
 				it = object[current.Field]
 			case nil:
-				return nil, errNotFound{errors.Errorf("%s: expected map, got nil", s[:i])}
+				return nil, notFoundError{errors.Errorf("%s: expected map, got nil", s[:i])}
 			default:
 				return nil, errors.Errorf("%s: not an object", s[:i])
 			}
@@ -208,7 +208,7 @@ func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint
 					res = append(res, r...)
 				}
 			case nil:
-				return nil, errNotFound{errors.Errorf("wildcard field %q is not found in the path", segments[:i])}
+				return nil, notFoundError{errors.Errorf("wildcard field %q is not found in the path", segments[:i])}
 			default:
 				return nil, errors.Errorf("%q: unexpected wildcard usage", segments[:i])
 			}
@@ -427,11 +427,11 @@ func prepareElement(array []any, current, next Segment) {
 		return
 	}
 
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
 
-	array[current.Index] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	array[current.Index] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 
 func prepareField(object map[string]any, current, next Segment) {
@@ -458,11 +458,11 @@ func prepareField(object map[string]any, current, next Segment) {
 		return
 	}
 
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
 
-	object[current.Field] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	object[current.Field] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 
 // SetValue at the supplied field path.
@@ -543,7 +543,7 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocognit // See note
 			}
 
 			// It doesn't exist anyway.
-			if len(array) <= int(current.Index) {
+			if uint(len(array)) <= current.Index {
 				return nil
 			}
 
@@ -593,10 +593,10 @@ func deleteField(obj any, s Segment) (any, error) {
 		if !ok {
 			return nil, errors.New("not an array")
 		}
-		if len(array) == 0 || len(array) <= int(s.Index) {
+		if len(array) == 0 || uint(len(array)) <= s.Index {
 			return array, nil
 		}
-		for i := int(s.Index); i < len(array)-1; i++ {
+		for i := s.Index; i < uint(len(array))-1; i++ {
 			array[i] = array[i+1]
 		}
 		return array[:len(array)-1], nil

pkg/fieldpath/paved_test.go

@@ -38,12 +38,12 @@ func TestIsNotFound(t *testing.T) {
 	}{
 		"NotFound": {
 			reason: "An error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errNotFound{errors.New("boom")},
+			err:    notFoundError{errors.New("boom")},
 			want:   true,
 		},
 		"WrapsNotFound": {
 			reason: "An error that wraps an error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errors.Wrap(errNotFound{errors.New("boom")}, "because reasons"),
+			err:    errors.Wrap(notFoundError{errors.New("boom")}, "because reasons"),
 			want:   true,
 		},
 		"SomethingElse": {
@@ -127,7 +127,7 @@ func TestGetValue(t *testing.T) {
 			path:   "metadata.name",
 			data:   []byte(`{"metadata":{"nope":"cool"}}`),
 			want: want{
-				err: errNotFound{errors.New("metadata.name: no such field")},
+				err: notFoundError{errors.New("metadata.name: no such field")},
 			},
 		},
 		"InsufficientContainers": {
@@ -135,7 +135,7 @@ func TestGetValue(t *testing.T) {
 			path:   "spec.containers[1].name",
 			data:   []byte(`{"spec":{"containers":[{"name":"cool"}]}}`),
 			want: want{
-				err: errNotFound{errors.New("spec.containers[1]: no such element")},
+				err: notFoundError{errors.New("spec.containers[1]: no such element")},
 			},
 		},
 		"NotAnArray": {
@@ -166,7 +166,7 @@ func TestGetValue(t *testing.T) {
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
-				err: errNotFound{errors.Errorf("%s: expected map, got nil", "spec.containers")},
+				err: notFoundError{errors.Errorf("%s: expected map, got nil", "spec.containers")},
 			},
 		},
 	}
@@ -242,7 +242,7 @@ func TestGetValueInto(t *testing.T) {
 			},
 			want: want{
 				out: &Struct{},
-				err: errNotFound{errors.New("s: no such field")},
+				err: notFoundError{errors.New("s: no such field")},
 			},
 		},
 	}
@@ -964,7 +964,7 @@ func TestExpandWildcards(t *testing.T) {
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
-				err: errors.Wrapf(errNotFound{errors.Errorf("wildcard field %q is not found in the path", "spec.containers")}, "cannot expand wildcards for segments: %q", "spec.containers[*].name"),
+				err: errors.Wrapf(notFoundError{errors.Errorf("wildcard field %q is not found in the path", "spec.containers")}, "cannot expand wildcards for segments: %q", "spec.containers[*].name"),
 			},
 		},
 	}

pkg/reconciler/providerconfig/reconciler.go

@@ -181,7 +181,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
 			if err := r.client.Delete(ctx, pcu); resource.IgnoreNotFound(err) != nil {
 				log.Debug(errDeletePCU, "error", err)
 				r.record.Event(pc, event.Warning(reasonAccount, errors.Wrap(err, errDeletePCU)))
-				return reconcile.Result{RequeueAfter: shortWait}, nil //nolint:nilerr // Returning err would make us requeue instantly.
+				return reconcile.Result{RequeueAfter: shortWait}, nil
 			}
 			users--
 		}

pkg/resource/providerconfig.go

@@ -42,9 +42,9 @@ const (
 	errApplyPCU              = "cannot apply ProviderConfigUsage"
 )
 
-type errMissingRef struct{ error }
+type missingRefError struct{ error }
 
-func (m errMissingRef) MissingReference() bool { return true }
+func (m missingRefError) MissingReference() bool { return true }
 
 // IsMissingReference returns true if an error indicates that a managed
 // resource is missing a required reference..
@@ -143,7 +143,7 @@ func (u *ProviderConfigUsageTracker) Track(ctx context.Context, mg Managed) erro
 	gvk := mg.GetObjectKind().GroupVersionKind()
 	ref := mg.GetProviderConfigReference()
 	if ref == nil {
-		return errMissingRef{errors.New(errMissingPCRef)}
+		return missingRefError{errors.New(errMissingPCRef)}
 	}
 
 	pcu.SetName(string(mg.GetUID()))

pkg/resource/providerconfig_test.go

@@ -261,7 +261,7 @@ func TestTrack(t *testing.T) {
 			args: args{
 				mg: &fake.Managed{},
 			},
-			want: errMissingRef{errors.New(errMissingPCRef)},
+			want: missingRefError{errors.New(errMissingPCRef)},
 		},
 		"NopUpdate": {
 			reason: "No error should be returned if the apply fails because it would be a no-op",

pkg/resource/resource.go

@@ -272,9 +272,9 @@ func UpdateFn(fn func(current, desired runtime.Object)) ApplyOption {
 	}
 }
 
-type errNotControllable struct{ error }
+type notControllableError struct{ error }
 
-func (e errNotControllable) NotControllable() bool {
+func (e notControllableError) NotControllable() bool {
 	return true
 }
 
@@ -297,7 +297,7 @@ func MustBeControllableBy(u types.UID) ApplyOption {
 	return func(_ context.Context, current, _ runtime.Object) error {
 		mo, ok := current.(metav1.Object)
 		if !ok {
-			return errNotControllable{errors.Errorf("existing object is missing object metadata")}
+			return notControllableError{errors.Errorf("existing object is missing object metadata")}
 		}
 		c := metav1.GetControllerOf(mo)
 		if c == nil {
@@ -305,7 +305,7 @@ func MustBeControllableBy(u types.UID) ApplyOption {
 		}
 
 		if c.UID != u {
-			return errNotControllable{errors.Errorf("existing object is not controlled by UID %q", u)}
+			return notControllableError{errors.Errorf("existing object is not controlled by UID %q", u)}
 		}
 		return nil
 	}
@@ -333,26 +333,26 @@ func ConnectionSecretMustBeControllableBy(u types.UID) ApplyOption {
 
 		switch {
 		case c == nil && s.Type != SecretTypeConnection:
-			return errNotControllable{errors.Errorf("refusing to modify uncontrolled secret of type %q", s.Type)}
+			return notControllableError{errors.Errorf("refusing to modify uncontrolled secret of type %q", s.Type)}
 		case c == nil:
 			return nil
 		case c.UID != u:
-			return errNotControllable{errors.Errorf("existing secret is not controlled by UID %q", u)}
+			return notControllableError{errors.Errorf("existing secret is not controlled by UID %q", u)}
 		}
 
 		return nil
 	}
 }
 
-type errNotAllowed struct{ error }
+type notAllowedError struct{ error }
 
-func (e errNotAllowed) NotAllowed() bool {
+func (e notAllowedError) NotAllowed() bool {
 	return true
 }
 
 // NewNotAllowed returns a new NotAllowed error.
 func NewNotAllowed(message string) error {
-	return errNotAllowed{error: errors.New(message)}
+	return notAllowedError{error: errors.New(message)}
 }
 
 // IsNotAllowed returns true if the supplied error indicates that an operation
@@ -373,7 +373,7 @@ func AllowUpdateIf(fn func(current, desired runtime.Object) bool) ApplyOption {
 		if fn(current, desired) {
 			return nil
 		}
-		return errNotAllowed{errors.New("update not allowed")}
+		return notAllowedError{errors.New("update not allowed")}
 	}
 }
 

pkg/resource/resource_test.go

@@ -422,7 +422,7 @@ func TestIsNotControllable(t *testing.T) {
 		},
 		"NotControllableError": {
 			reason: "An that has a 'NotControllable() bool' method indicates something is not controllable.",
-			err:    errNotControllable{errors.New("boom")},
+			err:    notControllableError{errors.New("boom")},
 			want:   true,
 		},
 	}
@@ -479,7 +479,7 @@ func TestMustBeControllableBy(t *testing.T) {
 					Controller: &controller,
 				}}}},
 			},
-			want: errNotControllable{errors.Errorf("existing object is not controlled by UID %q", uid)},
+			want: notControllableError{errors.Errorf("existing object is not controlled by UID %q", uid)},
 		},
 	}
 
@@ -543,7 +543,7 @@ func TestConnectionSecretMustBeControllableBy(t *testing.T) {
 					Type: SecretTypeConnection,
 				},
 			},
-			want: errNotControllable{errors.Errorf("existing secret is not controlled by UID %q", uid)},
+			want: notControllableError{errors.Errorf("existing secret is not controlled by UID %q", uid)},
 		},
 		"UncontrolledOpaqueSecret": {
 			reason: "A Secret of corev1.SecretTypeOpqaue with no controller is not controllable",
@@ -551,7 +551,7 @@ func TestConnectionSecretMustBeControllableBy(t *testing.T) {
 			args: args{
 				current: &corev1.Secret{Type: corev1.SecretTypeOpaque},
 			},
-			want: errNotControllable{errors.Errorf("refusing to modify uncontrolled secret of type %q", corev1.SecretTypeOpaque)},
+			want: notControllableError{errors.Errorf("refusing to modify uncontrolled secret of type %q", corev1.SecretTypeOpaque)},
 		},
 	}
 
@@ -593,7 +593,7 @@ func TestAllowUpdateIf(t *testing.T) {
 			args: args{
 				current: &object{},
 			},
-			want: errNotAllowed{errors.New("update not allowed")},
+			want: notAllowedError{errors.New("update not allowed")},
 		},
 	}
 
@@ -641,8 +641,8 @@ func TestGetExternalTags(t *testing.T) {
 }
 
 // single test case => not using tables.
-func Test_errNotControllable_NotControllable(t *testing.T) {
-	err := errNotControllable{
+func Test_notControllableError_NotControllable(t *testing.T) {
+	err := notControllableError{
 		errors.New("test-error"),
 	}
 
@@ -652,8 +652,8 @@ func Test_errNotControllable_NotControllable(t *testing.T) {
 }
 
 // single test case => not using tables.
-func Test_errNotAllowed_NotAllowed(t *testing.T) {
-	err := errNotAllowed{
+func Test_notAllowedError_NotAllowed(t *testing.T) {
+	err := notAllowedError{
 		errors.New("test-error"),
 	}