Merge pull request #818 from crossplane/renovate/main-go-golang.org-x-oauth2-vulnerability

chore(deps): update module golang.org/x/oauth2 to v0.27.0 [security] (main)

.golangci.yml

@@ -14,7 +14,7 @@ linters:
   disable:
     # These linters are all deprecated. We disable them explicitly to avoid the
     # linter logging deprecation warnings.
-    - execinquery
+    - tenv
 
     # These are linters we'd like to enable, but that will be labor intensive to
     # make existing code compliant.
@@ -23,7 +23,6 @@ linters:
     - testpackage
     - paralleltest
     - nilnil
-    - gomnd
 
     # Below are linters that lint for things we don't value. Each entry below
     # this line must have a comment explaining the rationale.
@@ -94,10 +93,6 @@ linters:
     # to communicate what the bool means.
     - nonamedreturns
 
-    # Warns about taking the address of a range variable. This isn't an issue in
-    # Go v1.22 and above: https://tip.golang.org/doc/go1.22
-    - exportloopref
-
     # Warns about using magic numbers. We do think it's best to avoid magic
     # numbers, but we should not be strict about it.
     - mnd
@@ -212,6 +207,11 @@ linters-settings:
       rules:
         json: goCamel
 
+  recvcheck:
+    exclusions:
+    - "*.DeepCopy" # DeepCopy* methods are generated and always use a pointer receiver, which may conflict with other methods for a given type.
+    - "*.DeepCopyInto"
+
 issues:
   # Excluding generated files.
   exclude-files:

Earthfile

@@ -3,7 +3,7 @@ VERSION --try --raw-output 0.8
 
 PROJECT crossplane/crossplane-runtime
 
-ARG --global GO_VERSION=1.22.3
+ARG --global GO_VERSION=1.23.7
 
 # reviewable checks that a branch is ready for review. Run it before opening a
 # pull request. It will catch a lot of the things our CI workflow will catch.
@@ -102,7 +102,7 @@ go-test:
 
 # go-lint lints Go code.
 go-lint:
-  ARG GOLANGCI_LINT_VERSION=v1.59.0
+  ARG GOLANGCI_LINT_VERSION=v1.64.8
   FROM +go-modules
   # This cache is private because golangci-lint doesn't support concurrent runs.
   CACHE --id go-lint --sharing private /root/.cache/golangci-lint

go.mod

@@ -1,8 +1,8 @@
 module github.com/crossplane/crossplane-runtime
 
-go 1.22.0
+go 1.23.0
 
-toolchain go1.22.3
+toolchain go1.23.7
 
 require (
 	dario.cat/mergo v1.0.1
@@ -68,7 +68,7 @@ require (
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect

go.sum

@@ -152,8 +152,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

pkg/fieldpath/paved.go

@@ -28,11 +28,11 @@ import (
 // DefaultMaxFieldPathIndex is the max allowed index in a field path.
 const DefaultMaxFieldPathIndex = 1024
 
-type errNotFound struct {
+type notFoundError struct {
 	error
 }
 
-func (e errNotFound) IsNotFound() bool {
+func (e notFoundError) IsNotFound() bool {
 	return true
 }
 
@@ -75,9 +75,9 @@ func Pave(object map[string]any, opts ...PavedOption) *Paved {
 }
 
 // WithMaxFieldPathIndex returns a PavedOption that sets the max allowed index for field paths, 0 means no limit.
-func WithMaxFieldPathIndex(max uint) PavedOption {
+func WithMaxFieldPathIndex(maxIndex uint) PavedOption {
 	return func(paved *Paved) {
-		paved.maxFieldPathIndex = max
+		paved.maxFieldPathIndex = maxIndex
 	}
 }
 
@@ -121,8 +121,8 @@ func getValueFromInterface(it any, s Segments) (any, error) {
 			if !ok {
 				return nil, errors.Errorf("%s: not an array", s[:i])
 			}
-			if int(current.Index) >= len(array) {
+			if current.Index >= uint(len(array)) {
-				return nil, errNotFound{errors.Errorf("%s: no such element", s[:i+1])}
+				return nil, notFoundError{errors.Errorf("%s: no such element", s[:i+1])}
 			}
 			if final {
 				return array[current.Index], nil
@@ -133,14 +133,14 @@ func getValueFromInterface(it any, s Segments) (any, error) {
 			case map[string]any:
 				v, ok := object[current.Field]
 				if !ok {
-					return nil, errNotFound{errors.Errorf("%s: no such field", s[:i+1])}
+					return nil, notFoundError{errors.Errorf("%s: no such field", s[:i+1])}
 				}
 				if final {
 					return v, nil
 				}
 				it = object[current.Field]
 			case nil:
-				return nil, errNotFound{errors.Errorf("%s: expected map, got nil", s[:i])}
+				return nil, notFoundError{errors.Errorf("%s: expected map, got nil", s[:i])}
 			default:
 				return nil, errors.Errorf("%s: not an object", s[:i])
 			}
@@ -208,7 +208,7 @@ func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint
 					res = append(res, r...)
 				}
 			case nil:
-				return nil, errNotFound{errors.Errorf("wildcard field %q is not found in the path", segments[:i])}
+				return nil, notFoundError{errors.Errorf("wildcard field %q is not found in the path", segments[:i])}
 			default:
 				return nil, errors.Errorf("%q: unexpected wildcard usage", segments[:i])
 			}
@@ -427,11 +427,11 @@ func prepareElement(array []any, current, next Segment) {
 		return
 	}
 
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
 
-	array[current.Index] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	array[current.Index] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 
 func prepareField(object map[string]any, current, next Segment) {
@@ -458,11 +458,11 @@ func prepareField(object map[string]any, current, next Segment) {
 		return
 	}
 
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
 
-	object[current.Field] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	object[current.Field] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 
 // SetValue at the supplied field path.
@@ -543,7 +543,7 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocognit // See note
 			}
 
 			// It doesn't exist anyway.
-			if len(array) <= int(current.Index) {
+			if uint(len(array)) <= current.Index {
 				return nil
 			}
 
@@ -593,10 +593,10 @@ func deleteField(obj any, s Segment) (any, error) {
 		if !ok {
 			return nil, errors.New("not an array")
 		}
-		if len(array) == 0 || len(array) <= int(s.Index) {
+		if len(array) == 0 || uint(len(array)) <= s.Index {
 			return array, nil
 		}
-		for i := int(s.Index); i < len(array)-1; i++ {
+		for i := s.Index; i < uint(len(array))-1; i++ {
 			array[i] = array[i+1]
 		}
 		return array[:len(array)-1], nil

pkg/fieldpath/paved_test.go

@@ -38,12 +38,12 @@ func TestIsNotFound(t *testing.T) {
 	}{
 		"NotFound": {
 			reason: "An error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errNotFound{errors.New("boom")},
+			err:    notFoundError{errors.New("boom")},
 			want:   true,
 		},
 		"WrapsNotFound": {
 			reason: "An error that wraps an error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errors.Wrap(errNotFound{errors.New("boom")}, "because reasons"),
+			err:    errors.Wrap(notFoundError{errors.New("boom")}, "because reasons"),
 			want:   true,
 		},
 		"SomethingElse": {
@@ -127,7 +127,7 @@ func TestGetValue(t *testing.T) {
 			path:   "metadata.name",
 			data:   []byte(`{"metadata":{"nope":"cool"}}`),
 			want: want{
-				err: errNotFound{errors.New("metadata.name: no such field")},
+				err: notFoundError{errors.New("metadata.name: no such field")},
 			},
 		},
 		"InsufficientContainers": {
@@ -135,7 +135,7 @@ func TestGetValue(t *testing.T) {
 			path:   "spec.containers[1].name",
 			data:   []byte(`{"spec":{"containers":[{"name":"cool"}]}}`),
 			want: want{
-				err: errNotFound{errors.New("spec.containers[1]: no such element")},
+				err: notFoundError{errors.New("spec.containers[1]: no such element")},
 			},
 		},
 		"NotAnArray": {
@@ -166,7 +166,7 @@ func TestGetValue(t *testing.T) {
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
-				err: errNotFound{errors.Errorf("%s: expected map, got nil", "spec.containers")},
+				err: notFoundError{errors.Errorf("%s: expected map, got nil", "spec.containers")},
 			},
 		},
 	}
@@ -242,7 +242,7 @@ func TestGetValueInto(t *testing.T) {
 			},
 			want: want{
 				out: &Struct{},
-				err: errNotFound{errors.New("s: no such field")},
+				err: notFoundError{errors.New("s: no such field")},
 			},
 		},
 	}
@@ -964,7 +964,7 @@ func TestExpandWildcards(t *testing.T) {
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
-				err: errors.Wrapf(errNotFound{errors.Errorf("wildcard field %q is not found in the path", "spec.containers")}, "cannot expand wildcards for segments: %q", "spec.containers[*].name"),
+				err: errors.Wrapf(notFoundError{errors.Errorf("wildcard field %q is not found in the path", "spec.containers")}, "cannot expand wildcards for segments: %q", "spec.containers[*].name"),
 			},
 		},
 	}

pkg/reconciler/providerconfig/reconciler.go

@@ -181,7 +181,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
 			if err := r.client.Delete(ctx, pcu); resource.IgnoreNotFound(err) != nil {
 				log.Debug(errDeletePCU, "error", err)
 				r.record.Event(pc, event.Warning(reasonAccount, errors.Wrap(err, errDeletePCU)))
-				return reconcile.Result{RequeueAfter: shortWait}, nil //nolint:nilerr // Returning err would make us requeue instantly.
+				return reconcile.Result{RequeueAfter: shortWait}, nil
 			}
 			users--
 		}

pkg/resource/providerconfig.go

@@ -42,9 +42,9 @@ const (
 	errApplyPCU              = "cannot apply ProviderConfigUsage"
 )
 
-type errMissingRef struct{ error }
+type missingRefError struct{ error }
 
-func (m errMissingRef) MissingReference() bool { return true }
+func (m missingRefError) MissingReference() bool { return true }
 
 // IsMissingReference returns true if an error indicates that a managed
 // resource is missing a required reference..
@@ -143,7 +143,7 @@ func (u *ProviderConfigUsageTracker) Track(ctx context.Context, mg Managed) erro
 	gvk := mg.GetObjectKind().GroupVersionKind()
 	ref := mg.GetProviderConfigReference()
 	if ref == nil {
-		return errMissingRef{errors.New(errMissingPCRef)}
+		return missingRefError{errors.New(errMissingPCRef)}
 	}
 
 	pcu.SetName(string(mg.GetUID()))

pkg/resource/providerconfig_test.go

@@ -261,7 +261,7 @@ func TestTrack(t *testing.T) {
 			args: args{
 				mg: &fake.Managed{},
 			},
-			want: errMissingRef{errors.New(errMissingPCRef)},
+			want: missingRefError{errors.New(errMissingPCRef)},
 		},
 		"NopUpdate": {
 			reason: "No error should be returned if the apply fails because it would be a no-op",

pkg/resource/resource.go

@@ -272,9 +272,9 @@ func UpdateFn(fn func(current, desired runtime.Object)) ApplyOption {
 	}
 }
 
-type errNotControllable struct{ error }
+type notControllableError struct{ error }
 
-func (e errNotControllable) NotControllable() bool {
+func (e notControllableError) NotControllable() bool {
 	return true
 }
 
@@ -297,7 +297,7 @@ func MustBeControllableBy(u types.UID) ApplyOption {
 	return func(_ context.Context, current, _ runtime.Object) error {
 		mo, ok := current.(metav1.Object)
 		if !ok {
-			return errNotControllable{errors.Errorf("existing object is missing object metadata")}
+			return notControllableError{errors.Errorf("existing object is missing object metadata")}
 		}
 		c := metav1.GetControllerOf(mo)
 		if c == nil {
@@ -305,7 +305,7 @@ func MustBeControllableBy(u types.UID) ApplyOption {
 		}
 
 		if c.UID != u {
-			return errNotControllable{errors.Errorf("existing object is not controlled by UID %q", u)}
+			return notControllableError{errors.Errorf("existing object is not controlled by UID %q", u)}
 		}
 		return nil
 	}
@@ -333,26 +333,26 @@ func ConnectionSecretMustBeControllableBy(u types.UID) ApplyOption {
 
 		switch {
 		case c == nil && s.Type != SecretTypeConnection:
-			return errNotControllable{errors.Errorf("refusing to modify uncontrolled secret of type %q", s.Type)}
+			return notControllableError{errors.Errorf("refusing to modify uncontrolled secret of type %q", s.Type)}
 		case c == nil:
 			return nil
 		case c.UID != u:
-			return errNotControllable{errors.Errorf("existing secret is not controlled by UID %q", u)}
+			return notControllableError{errors.Errorf("existing secret is not controlled by UID %q", u)}
 		}
 
 		return nil
 	}
 }
 
-type errNotAllowed struct{ error }
+type notAllowedError struct{ error }
 
-func (e errNotAllowed) NotAllowed() bool {
+func (e notAllowedError) NotAllowed() bool {
 	return true
 }
 
 // NewNotAllowed returns a new NotAllowed error.
 func NewNotAllowed(message string) error {
-	return errNotAllowed{error: errors.New(message)}
+	return notAllowedError{error: errors.New(message)}
 }
 
 // IsNotAllowed returns true if the supplied error indicates that an operation
@@ -373,7 +373,7 @@ func AllowUpdateIf(fn func(current, desired runtime.Object) bool) ApplyOption {
 		if fn(current, desired) {
 			return nil
 		}
-		return errNotAllowed{errors.New("update not allowed")}
+		return notAllowedError{errors.New("update not allowed")}
 	}
 }
 

pkg/resource/resource_test.go

@@ -422,7 +422,7 @@ func TestIsNotControllable(t *testing.T) {
 		},
 		"NotControllableError": {
 			reason: "An that has a 'NotControllable() bool' method indicates something is not controllable.",
-			err:    errNotControllable{errors.New("boom")},
+			err:    notControllableError{errors.New("boom")},
 			want:   true,
 		},
 	}
@@ -479,7 +479,7 @@ func TestMustBeControllableBy(t *testing.T) {
 					Controller: &controller,
 				}}}},
 			},
-			want: errNotControllable{errors.Errorf("existing object is not controlled by UID %q", uid)},
+			want: notControllableError{errors.Errorf("existing object is not controlled by UID %q", uid)},
 		},
 	}
 
@@ -543,7 +543,7 @@ func TestConnectionSecretMustBeControllableBy(t *testing.T) {
 					Type: SecretTypeConnection,
 				},
 			},
-			want: errNotControllable{errors.Errorf("existing secret is not controlled by UID %q", uid)},
+			want: notControllableError{errors.Errorf("existing secret is not controlled by UID %q", uid)},
 		},
 		"UncontrolledOpaqueSecret": {
 			reason: "A Secret of corev1.SecretTypeOpqaue with no controller is not controllable",
@@ -551,7 +551,7 @@ func TestConnectionSecretMustBeControllableBy(t *testing.T) {
 			args: args{
 				current: &corev1.Secret{Type: corev1.SecretTypeOpaque},
 			},
-			want: errNotControllable{errors.Errorf("refusing to modify uncontrolled secret of type %q", corev1.SecretTypeOpaque)},
+			want: notControllableError{errors.Errorf("refusing to modify uncontrolled secret of type %q", corev1.SecretTypeOpaque)},
 		},
 	}
 
@@ -593,7 +593,7 @@ func TestAllowUpdateIf(t *testing.T) {
 			args: args{
 				current: &object{},
 			},
-			want: errNotAllowed{errors.New("update not allowed")},
+			want: notAllowedError{errors.New("update not allowed")},
 		},
 	}
 
@@ -641,8 +641,8 @@ func TestGetExternalTags(t *testing.T) {
 }
 
 // single test case => not using tables.
-func Test_errNotControllable_NotControllable(t *testing.T) {
+func Test_notControllableError_NotControllable(t *testing.T) {
-	err := errNotControllable{
+	err := notControllableError{
 		errors.New("test-error"),
 	}
 
@@ -652,8 +652,8 @@ func Test_errNotControllable_NotControllable(t *testing.T) {
 }
 
 // single test case => not using tables.
-func Test_errNotAllowed_NotAllowed(t *testing.T) {
+func Test_notAllowedError_NotAllowed(t *testing.T) {
-	err := errNotAllowed{
+	err := notAllowedError{
 		errors.New("test-error"),
 	}