Bump github.com/kube-vip/kube-vip from 0.5.5 to 0.9.1

[dependabot]

Bumps github.com/kube-vip/kube-vip from 0.5.5 to 0.9.1.

Release notes

Sourced from github.com/kube-vip/kube-vip's releases.

v0.9.1

Highlights

• Metadata for container images
• Proper handling of endpoints after restart

What's Changed

• fix: s/endoints/endpoints/ in RBAC manifest generation code by @​sdwilsh in kube-vip/kube-vip#1141
• feat: Add opencontainers annotations during release by @​sdwilsh in kube-vip/kube-vip#1142
• Bump anchore/sbom-action from 0.18.0 to 0.19.0 by @​dependabot in kube-vip/kube-vip#1143
• Fixed instance finding by @​p-strusiewiczsurmacki-mobica in kube-vip/kube-vip#1140
• Bump github.com/gookit/slog from 0.5.7 to 0.5.8 by @​dependabot in kube-vip/kube-vip#1134
• Bump golang.org/x/sys from 0.31.0 to 0.32.0 by @​dependabot in kube-vip/kube-vip#1136
• Bump github.com/cloudflare/ipvs from 0.10.3 to 0.11.0 by @​dependabot in kube-vip/kube-vip#1137
• Bump github.com/onsi/ginkgo/v2 from 2.22.2 to 2.23.4 by @​dependabot in kube-vip/kube-vip#1135
• Bump version to v0.9.1 by @​Cellebyte in kube-vip/kube-vip#1144

New Contributors

• @​sdwilsh made their first contribution in kube-vip/kube-vip#1141

Full Changelog: kube-vip/kube-vip@v0.9.0...v0.9.1

v0.9.0

Highlights

• Manifest generation of RBAC resources (ClusterRole, ClusterRoleBinding and ServiceAccount)
• DualStack in BGP mode
• Deterministic handling of two Services using the same LoadBalancer IP in ARP mode

Breaking

• When you use the environment variable vip_cidr please rename it to vip_subnet
  • ENV: vip_cidr got replaced by vip_subnet
  • CLI: --cidr got replaced by --vipSubnet
  • YAML: vipCidr got replaced by vipSubnet
• Drop support of Equinix Metal Platform (Removed)
  • CLI: --metal, ENV: vip_packet, YAML: enableMetal
  • CLI: --metalKey, ENV: PACKET_AUTH_TOKEN
  • CLI: --metalProject, ENV: vip_packetproject
  • CLI: --metalProjectId, ENV: vip_packetprojectid

What's Changed

• Remove Equinix Metal Platform Support by @​deveshidwivedi in kube-vip/kube-vip#1087
• Fixed service IP address deletion on service modification bug by @​p-strusiewiczsurmacki-mobica in kube-vip/kube-vip#1122
• Added support for RBAC manifest generation by @​Cellebyte in kube-vip/kube-vip#1126
• Fix DualStack in BGP mode by @​Cellebyte in kube-vip/kube-vip#1123
• Bump golang.org/x/sync from 0.11.0 to 0.13.0 by @​dependabot in kube-vip/kube-vip#1117
• Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 by @​dependabot in kube-vip/kube-vip#1118
• Bump go.etcd.io/etcd/client/pkg/v3 from 3.5.18 to 3.5.21 by @​dependabot in kube-vip/kube-vip#1115
• Bump github.com/osrg/gobgp/v3 from 3.35.0 to 3.36.0 by @​dependabot in kube-vip/kube-vip#1116
• Bump go.etcd.io/etcd/api/v3 from 3.5.18 to 3.5.21 by @​dependabot in kube-vip/kube-vip#1119

... (truncated)

Commits

• a71d361 Bump version
• cf24ad8 Bump github.com/onsi/ginkgo/v2 from 2.22.2 to 2.23.4
• 0c04088 Bump github.com/cloudflare/ipvs from 0.10.3 to 0.11.0
• 22489ad Bump golang.org/x/sys from 0.31.0 to 0.32.0
• 1fa3da4 Bump github.com/gookit/slog from 0.5.7 to 0.5.8
• d497df3 Fixed instance finding and route deletion in RT mode
• bdd3c5c Bump anchore/sbom-action from 0.18.0 to 0.19.0
• 5b41db2 feat: Add opencontainers annotations during release
• 1eb3577 fix: s/endoints/endpoints/ in RBAC manifest generation code
• 7d7036f Merge pull request #1130 from kube-vip/fix/upnp
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by Bito

This PR updates the go.mod file with multiple dependency version upgrades and a new Go version. Key modules including kube-vip, logr, ginkgo/v2, and various Kubernetes packages have been updated to their latest releases, enhancing stability, compatibility, and performance across the project.

[bito-code-review]

Code Review Agent Run #f49722

Actionable Suggestions - 0

Security Concerns - 9

• Vulnerability 1
  • Dependency Name: golang.org/x/oauth2
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3488
  • Vulnerability Description: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
  • Fixed in Version: v0.27.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/oauth2 v0.26.0
    + golang.org/x/oauth2 v0.27.0
    

• Vulnerability 2
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3373
  • Vulnerability Description: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
  • Fixed in Version: v1.23.5
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.23.4
    + go 1.23.5
    

• Vulnerability 3
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3420
  • Vulnerability Description: The HTTP client drops sensitive headers after following a cross-domain redirect but incorrectly restores them for subsequent same-domain redirects.
  • Fixed in Version: v1.23.5
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.23.4
    + go 1.23.5
    

• Vulnerability 4
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3447
  • Vulnerability Description: Due to variable time instruction in assembly implementation, bits of secret scalars are leaked on ppc64le architecture.
  • Fixed in Version: v1.23.6
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.23.5
    + go 1.23.6
    

• Vulnerability 5
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3563
  • Vulnerability Description: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines, permitting request smuggling.
  • Fixed in Version: v1.23.8
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.23.6
    + go 1.23.8
    

• Vulnerability 6
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2687
  • Vulnerability Description: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending excessive CONTINUATION frames.
  • Fixed in Version: v0.23.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.22.0
    + golang.org/x/net v0.23.0
    

• Vulnerability 7
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3333
  • Vulnerability Description: An attacker can craft an input to the Parse functions that would be processed non-linearly, causing extremely slow parsing and denial of service.
  • Fixed in Version: v0.33.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.23.0
    + golang.org/x/net v0.33.0
    

• Vulnerability 8
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3503
  • Vulnerability Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component.
  • Fixed in Version: v0.36.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.33.0
    + golang.org/x/net v0.36.0
    

• Vulnerability 9
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3595
  • Vulnerability Description: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character as self-closing.
  • Fixed in Version: v0.38.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.36.0
    + golang.org/x/net v0.38.0
    

Review Details

• Files reviewed - 1 · Commit Range: 0b04374..0b04374

  • go.mod
• Files skipped - 1

  • go.sum - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • GOVULNCHECK (Security Vulnerability) - ✔︎ Successful
  • OWASP (Security Vulnerability) - ✔︎ Successful
  • SNYK (Security Vulnerability) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Feature Improvement - Module Dependency Updates	- go.mod - Upgraded Go version from 1.20 to 1.24.2 and updated multiple dependencies including kube-vip from 0.5.5 to 0.9.1, logr, ginkgo/v2, and various Kubernetes libraries to enhance compatibility and performance.