NO-ISSUE: Update module github.com/openshift/golang-oauth2 to v0.28.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/openshift/golang-oauth2	v0.26.1-0.20250310184649-06a918c6239d -> v0.28.0

---

Release Notes

openshift/golang-oauth2 (github.com/openshift/golang-oauth2)

v0.28.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/openshift/golang-oauth2	v0.26.1-0.20250310184649-06a918c6239d -> v0.28.0

---

[!WARNING]
Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

openshift/golang-oauth2 (github.com/openshift/golang-oauth2)

v0.28.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated the golang.org/x/oauth2 module replace directive in go.mod to use a newer version of the openshift fork, incrementing from v0.26.1-0.20250310184649-06a918c6239d to v0.28.0.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Updated replace directive for golang.org/x/oauth2 to point to github.com/openshift/golang-oauth2 v0.28.0, upgrading from v0.26.1-0.20250310184649-06a918c6239d.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/master/ghproxy-9d2.pages.dev-openshift-golang-oauth2-0.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign carbonin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 149: The go.mod replace pointing to github.com/openshift/golang-oauth2
v0.28.0 must be validated and justified: verify that the OpenShift fork tag
v0.28.0 actually exists and contains the CVE-2025-22868 patch (inspect the fork
repo/commit history for the jws fix), and then either (a) add documentation in
the PR/CHANGELOG explaining why the OpenShift fork is required (what additional
patches/behavior it provides) or (b) if the fork only supplies the CVE fix,
change the replace to use the upstream golang.org/x/oauth2 v0.28.0 (or the
minimal upstream v0.27.x+ release that includes the patch) instead; update
go.mod accordingly and run go mod tidy to ensure builds resolve.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-22868 golang oauth2 security vulnerability

💡 Result:

CVE-2025-22868 (Go / golang.org/x/oauth2) is a Denial-of-Service (DoS) issue where a malicious, malformed token can trigger unexpected/unbounded memory consumption during token parsing. [1][2]

• Affected component: golang.org/x/oauth2/jws (in the golang.org/x/oauth2 module) before v0.27.0. [1][3]
• Severity: HIGH (CVSS 3.1 7.5), network exploitable, no privileges or user interaction required; availability impact is high. [2][3]
• Fix: Upgrade golang.org/x/oauth2 to v0.27.0 or later (contains the patch). [1][3]

What to do

1. Update your dependency (example):

   go get golang.org/x/oauth2@v0.27.0
   go mod tidy

2. If you accept tokens from untrusted sources, consider adding request/body size limits and rate limiting as defense-in-depth (the core fix is upgrading). [1][2]

Sources
[1] Go vulnerability report (GO-2025-3488) https://pkg.go.dev/vuln/GO-2025-3488
[2] NVD entry https://nvd.nist.gov/vuln/detail/CVE-2025-22868
[3] GitHub Advisory (GHSA-6v2p-p543-phr9) GHSA-6v2p-p543-phr9

---

🏁 Script executed:

# Check the go.mod file context around line 149
cd . && head -n 160 go.mod | tail -n 25

Repository: openshift/cluster-api-provider-agent

Length of output: 1261

---

🌐 Web query:

github.com/openshift/golang-oauth2 v0.28.0 release

💡 Result:

I couldn’t find any publicly indexed GitHub “Release” (or even a discoverable repository page) for github.com/openshift/golang-oauth2 or a v0.28.0 release/tag in that OpenShift org—search results consistently resolve only to the upstream golang/oauth2 project, not an OpenShift fork. [2]

For the upstream module golang.org/x/oauth2, tag v0.28.0 corresponds to a change titled “Deep copy context client in NewClient” (so client settings like timeouts from a context-provided *http.Client are preserved instead of being lost). The tag was committed on March 3, 2025. [1]

Sources:
[1] v0.28.0 tag details (commit message/date) on Chromium’s mirror of golang/oauth2: (chromium.googlesource.com)
[2] Upstream GitHub repository (no OpenShift fork/release surfaced in search): (github.com)

Citations:

• 1: https://chromium.googlesource.com/external/github.com/golang/oauth2/%2B/refs/tags/v0.28.0?utm_source=openai
• 2: https://github.com/golang/oauth2?utm_source=openai

---

Cannot verify the OpenShift fork version publicly—confirm the security fix is present.

The replace directive points to github.com/openshift/golang-oauth2 v0.28.0, which claims to address CVE-2025-22868 (a HIGH-severity DoS in golang.org/x/oauth2/jws). However, the OpenShift fork tag v0.28.0 cannot be verified publicly via GitHub—no release or tag is discoverable.

While the upstream golang.org/x/oauth2 v0.28.0 exists (released March 3, 2025) and would contain the fix, this change uses a fork without clear documentation. Before merging:

• Verify the fork tag v0.28.0 exists and includes the CVE-2025-22868 patch
• Document why the OpenShift fork is necessary (e.g., additional patches)
• If the fork is only for CVE-2025-22868, consider using the upstream v0.27.0+ directly instead

🤖 Prompt for AI Agents

In `@go.mod` at line 149, The go.mod replace pointing to
github.com/openshift/golang-oauth2 v0.28.0 must be validated and justified:
verify that the OpenShift fork tag v0.28.0 actually exists and contains the
CVE-2025-22868 patch (inspect the fork repo/commit history for the jws fix), and
then either (a) add documentation in the PR/CHANGELOG explaining why the
OpenShift fork is required (what additional patches/behavior it provides) or (b)
if the fork only supplies the CVE fix, change the replace to use the upstream
golang.org/x/oauth2 v0.28.0 (or the minimal upstream v0.27.x+ release that
includes the patch) instead; update go.mod accordingly and run go mod tidy to
ensure builds resolve.