chore(deps): bump tektoncd/pipeline to v1.13.1 to address CVE-2026-33022#2795
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several Go dependencies in go.mod and go.sum, including github.com/google/cel-go, github.com/jenkins-x/go-scm, github.com/tektoncd/pipeline, go.opentelemetry.io/otel, go.uber.org/zap, and various Kubernetes (k8s.io) libraries to their newer versions. I have no feedback to provide as there are no review comments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2795 +/- ##
=======================================
Coverage 59.77% 59.77%
=======================================
Files 210 210
Lines 21135 21135
=======================================
Hits 12633 12633
Misses 7707 7707
Partials 795 795 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
- Update github.com/tektoncd/pipeline from v1.11.1 to v1.13.1 - Co-upgrades: cel-go v0.28.1, go-scm v1.15.22, otel v1.44.0, zap v1.28.0, k8s.io/* v0.35.5, grpc v1.81.1 CVE-2026-33022 (GHSA-cv4x-93xx-wgfj, CVSS 6.5 Medium): Tekton Pipelines controller panic via long resolver name in GenerateDeterministicNameFromSpec. A user with TaskRun/PipelineRun create access can crash the Pipelines controller into CrashLoopBackOff. Fixed in upstream tektoncd/pipeline v1.10.2+ and v1.11.1+ (fix backported via sanitizedName). Note: CVE-2023-37264 (GO-2023-1901) affects cmd/controller only; PAC uses only the library APIs (pkg/apis, pkg/client) and does not run the Tekton controller binary. Resolves: SRVKP-9042 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Akshay Pant <akpant@redhat.com>
Value.Emit() is deprecated in the updated OpenTelemetry SDK; replace with Value.String() to resolve linter warning. Signed-off-by: Akshay Pant <akpant@redhat.com>
theakshaypant
force-pushed
the
fix/cve-2026-33022-tektoncd-pipeline-main-attempt-1
branch
from
9687ff9 to
5e686e4
Compare
2 participants
📝 Description of the Change
Upgrades
github.com/tektoncd/pipelinefrom v1.11.1 → v1.13.1 to address reportedsecurity vulnerabilities flagged by automated scanners (GO-2026-4730 / CVE-2026-33022).
Changes:
github.com/tektoncd/pipelinev1.11.1 → v1.13.1github.com/google/cel-gov0.28.0 → v0.28.1 (co-upgrade)github.com/jenkins-x/go-scmv1.15.17 → v1.15.22 (co-upgrade)go.opentelemetry.io/otelv1.43.0 → v1.44.0 (co-upgrade)go.uber.org/zapv1.27.1 → v1.28.0 (co-upgrade)k8s.io/{api,apimachinery,client-go}v0.35.4 → v0.35.5 (co-upgrade)google.golang.org/grpcv1.80.0 → v1.81.1 (co-upgrade)VEX Analysis
CVE-2026-33022 (GHSA-cv4x-93xx-wgfj, CVSS 6.5 Medium)
spec.taskRef.resolveris ≥31 charsGenerateDeterministicNameFromSpecinpkg/resolution/resource/name.gowas patched in main (2026-03-11), then backported to v1.10.2, and included from v1.11.1+pkg/resolution/resource— confirmed by vendor directory which only containspkg/apis,pkg/client,pkg/reconciler, etc. The vulnerable code path is not compiled into PAC binaries.CVE-2023-37264 (GHSA-w2h3-vvvq-3m53, CVSS 3.7 Low)
cmd/controllerbinarytektoncd/pipelineonly as a client/API library (pkg/apis/pipeline/v1,pkg/client/clientset/versioned, etc.). PAC does not run or embed the Tekton controller binary.How this upgrade was done
GOTOOLCHAIN=go1.26.4 go get github.com/tektoncd/pipeline@v1.13.1GOTOOLCHAIN=go1.26.4 go mod tidyGOTOOLCHAIN=go1.26.4 go mod vendorGOTOOLCHAIN=go1.26.4 go build ./...✅GOTOOLCHAIN=go1.26.4 go mod verify✅GOTOOLCHAIN=go1.26.4 go test ./pkg/...✅👨🏻💼 Linked Jira
SRVKP-9042
🔗 Linked GitHub Issue
N/A
🧪 Testing Strategy
go test ./pkg/...)Validation run locally:
GOTOOLCHAIN=go1.26.4 go build ./...— success, no errorsGOTOOLCHAIN=go1.26.4 go mod verify— all modules verifiedGOTOOLCHAIN=go1.26.4 go test ./pkg/...— all 22 test packages passed🤖 AI Assistance
Generated by CVE Fixer Workflow (Ambient Code Platform)