Auto dependency bump like dependabot

[DamianSawicki]

Since last week, we've merged 4 PRs bumping various dependencies, and yet new vulnerabilities keep popping up. And in the last 3 months, we've merged 8 PRs bumping dependencies. Theoretically, we probably could have squashed the number of these PRs, but in OSS everyone is free to contribute to the part they find relevant. It would be great to have some automation taking care of bumping dependencies.

Such automation was recently configured in gwctl kubernetes-sigs/gwctl#6, so perhaps we can do the same.

CC: @Michcioperz @dereknola @FelipeYepez

[FelipeYepez]

I can try to help with this similar to what I did in gwctl

[DamianSawicki]

After merging #702, dependabot closed 4 old PRs, and opened #704, which looks really great except for the fact that the k8s.io group in #702 actually misses k8s.io/kubernetes 😅 I'll fix it now.

[dereknola]

Very much in support of this.

[sidewinder12s]

Can the config be updated as well to update the Go version? there are currently some open vulnerabilities with the current version of Go in use.

[Michcioperz]

@sidewinder12s Can you point to specific vulnerabilities? It's easier to understand what needs to be done then

[sidewinder12s]

Tag: registry.k8s.io/dns%2Fk8s-dns-node-cache:1.26.4

• Vulnerability found in non-os package type (go) - /node-cache (fixed in: 1.23.8, 1.24.2)(CVE-2025-22871 - https://nvd.nist.gov/vuln/detail/CVE-2025-22871)

[nickstapler-wk]

Currently seeing a couple of CVES with fixes using grype to detect:

grype version
Application:         grype
Version:             0.98.0
BuildDate:           2025-08-13T16:52:27Z
GitCommit:           Homebrew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.25.0
Compiler:            gc
Syft Version:        v1.31.0
Supported DB Schema: 6

grype --by-cve --only-fixed --output=table --quiet <image using From registry.k8s.io/dns/k8s-dns-node-cache:1.26.4>

CVE Table:

NAME                        INSTALLED         FIXED IN          TYPE       VULNERABILITY   SEVERITY  EPSS           RISK   
github.com/coredns/coredns  v1.11.3           1.12.2            go-module  CVE-2025-47950  High      0.1% (30th)    < 0.1  
golang.org/x/oauth2         v0.18.0           0.27.0            go-module  CVE-2025-22868  High      < 0.1% (23rd)  < 0.1  
stdlib                      go1.23.7          1.23.12, 1.24.6   go-module  CVE-2025-47907  High      < 0.1% (16th)  < 0.1  
stdlib                      go1.23.8          1.23.12, 1.24.6   go-module  CVE-2025-47907  High      < 0.1% (16th)  < 0.1  
libssl3                     3.0.15-1~deb12u1  3.0.16-1~deb12u1  deb        CVE-2024-13176  Medium    < 0.1% (22nd)  < 0.1  
stdlib                      go1.23.7          1.23.8, 1.24.2    go-module  CVE-2025-22871  Critical  < 0.1% (4th)   < 0.1  
stdlib                      go1.23.7          1.23.10, 1.24.4   go-module  CVE-2025-4673   Medium    < 0.1% (3rd)   < 0.1  
stdlib                      go1.23.8          1.23.10, 1.24.4   go-module  CVE-2025-4673   Medium    < 0.1% (3rd)   < 0.1  
stdlib                      go1.23.7          1.23.11, 1.24.5   go-module  CVE-2025-4674   High      < 0.1% (0th)   < 0.1  
stdlib                      go1.23.8          1.23.11, 1.24.5   go-module  CVE-2025-4674   High      < 0.1% (0th)   < 0.1

Pretty Printed CVE Table:

+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+
| NAME                       | LANG | VERSION          | PATH                           | CVE            | SEVERITY | FIX              |
+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+
| github.com/coredns/coredns | go   | v1.11.3          | /node-cache                    | CVE-2025-47950 | High     | 1.12.2           |
+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+
| golang.org/x/oauth2        | go   | v0.18.0          | /node-cache                    | CVE-2025-22868 | High     | 0.27.0           |
+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+
| stdlib                     | go   | go1.23.7         | /node-cache                    | CVE-2025-47907 | High     | 1.23.12          |
|                            | go   | go1.23.8         | /go-runner                     | CVE-2025-47907 | High     | 1.23.12          |
|                            | go   | go1.23.7         | /node-cache                    | CVE-2025-22871 | Critical | 1.23.8           |
|                            | go   | go1.23.7         | /node-cache                    | CVE-2025-4673  | Medium   | 1.23.10          |
|                            | go   | go1.23.8         | /go-runner                     | CVE-2025-4673  | Medium   | 1.23.10          |
|                            | go   | go1.23.7         | /node-cache                    | CVE-2025-4674  | High     | 1.23.11          |
|                            | go   | go1.23.8         | /go-runner                     | CVE-2025-4674  | High     | 1.23.11          |
+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+
| libssl3                    |      | 3.0.15-1~deb12u1 | /var/lib/dpkg/status.d/libssl3 | CVE-2024-13176 | Medium   | 3.0.16-1~deb12u1 |
+----------------------------+------+------------------+--------------------------------+----------------+----------+------------------+

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale