Bump github.com/openshift/backplane-cli from 0.10.1 to 0.10.2

[dependabot]

Bumps github.com/openshift/backplane-cli from 0.10.1 to 0.10.2.

Release notes

Sourced from github.com/openshift/backplane-cli's releases.

v0.10.2

Chore

• 080abfd build(deps): bump github.com/onsi/gomega from 1.41.0 to 1.42.0 (#956)
• 29013a5 build(deps): bump github.com/openshift-online/ocm-sdk-go (#957)
• 6dac8f8 build(deps): bump github.com/onsi/ginkgo/v2 from 2.29.0 to 2.31.0 (#958)
• ec5ad6e build(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 (#955)
• 66f5354 build(deps): bump the aws-sdk group with 5 updates (#954)

Others

• 3c4f626 retro
• 6baef11 retro

Commits

• 0f4969f Merge pull request #959 from diakovnec/retro_iteam
• 3c4f626 retro
• 6baef11 retro
• 080abfd build(deps): bump github.com/onsi/gomega from 1.41.0 to 1.42.0 (#956)
• 29013a5 build(deps): bump github.com/openshift-online/ocm-sdk-go (#957)
• 6dac8f8 build(deps): bump github.com/onsi/ginkgo/v2 from 2.29.0 to 2.31.0 (#958)
• ec5ad6e build(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 (#955)
• 66f5354 build(deps): bump the aws-sdk group with 5 updates (#954)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated AWS SDK for Go v2 core modules and service components to newer versions.
  • Updated OpenShift API SDK, common libraries, and backplane-CLI dependencies for improved compatibility.
  • Bumped Go system and terminal package dependencies to align with latest releases.

[coderabbitai]

Walkthrough

Dependency versions are bumped in go.mod. Direct dependencies updated include AWS SDK for Go v2 core, config, credentials, and sts modules; gomega, ocm-sdk-go, and backplane-cli. Indirect dependencies updated include AWS SDK v2 internal/feature/service modules, ocm-api-model, and golang.org/x/sys.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Direct dependency bumps (AWS SDK, OCM, gomega) go.mod	Bumps direct require entries for github.com/aws/aws-sdk-go-v2 core, config, credentials, service/sts; github.com/onsi/gomega; github.com/openshift-online/ocm-sdk-go; backplane-cli; and golang.org/x/term.
Indirect dependency bumps (AWS internals, OCM API model, sys) go.mod	Bumps indirect require entries for AWS SDK v2 feature/internal/service modules (IMDS, SSO, SSM, signin, etc.); ocm-api-model (clientapi, model); and golang.org/x/sys.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/osdctl#916: Performs the same pattern of go.mod dependency bumps, including backplane-cli, AWS SDK v2 modules, and OCM-related packages.

Suggested labels

lgtm

Suggested reviewers

• clcollins
• gvnnn
• MateSaary

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Ginkgo tests lack proper structure and error messages. Examples: nested Describe blocks (tf_file_update_test.go:75-76), missing assertion messages, and inconsistent cleanup patterns.	Remove nested Describe("Save") block; add meaningful messages to all Expect() calls per checklist ✅; consolidate cleanup into consistent BeforeEach/AfterEach pattern.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a dependency bump of backplane-cli from 0.10.1 to 0.10.2, which aligns with the PR objectives and raw summary showing this as the primary dependency update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in this PR use stable, static strings without dynamic content. No string concatenation, fmt.Sprintf, variables, timestamps, UUIDs, or generated identifiers found in test titles.
Microshift Test Compatibility	✅ Passed	This PR is a Dependabot dependency update (backplane-cli 0.10.1→0.10.2) with only go.mod/go.sum changes. No new Ginkgo e2e tests using MicroShift-incompatible APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates dependencies in go.mod and contains no new Ginkgo e2e tests; the SNO compatibility check applies only when new tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only updates dependency versions in go.mod/go.sum. The check requires deployment manifests, operator code, or controllers to be added/modified, which is not the case here.
Ote Binary Stdout Contract	✅ Passed	Repository is osdctl CLI tool, not OTE binary. Check for OTE Binary Stdout Contract is inapplicable to non-test extension binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates dependency versions in go.mod/go.sum (bumps backplane-cli from 0.10.1 to 0.10.2 and related transitive dependencies). No new Ginkgo e2e test files are added, so the IPv6/discon...
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) detected in code or updated dependencies; only legitimate Go libraries updated.
Container-Privileges	✅ Passed	This is a Go CLI dependency update PR with no container or Kubernetes manifests containing privileged security settings. The check for container privileges is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements that expose passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data were found. The PR only updates dependencies in go.mod/go.sum; no new logging c...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/openshift/backplane-cli-0.10.2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign raphaelbut for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 70: The golang.org/x/sys v0.46.0 dependency contains a known
vulnerability (CVE-2026-39824) in the NewNTUnicodeString function where string
length overflows are not properly validated, potentially causing truncated
strings. Upgrade the golang.org/x/sys dependency to a patched version that
addresses this vulnerability by updating the version constraint in the go.mod
file to a newer stable release that includes the fix for this security issue.
- Around line 11-13: Upgrade the github.com/aws/aws-sdk-go-v2 module from
v1.42.0 to either v1.42.2 or v1.42.3 in go.mod to resolve the security
vulnerability GHSA-3jcv-796g-cpjg related to region parameter defense-in-depth
enhancements. After updating the version string for
github.com/aws/aws-sdk-go-v2, run go mod tidy to automatically update the go.sum
file with the correct checksums and dependencies, then commit both go.mod and
go.sum files in your PR to ensure cryptographic integrity verification.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c855031c-e27b-404a-9513-8ed06b42c126

📥 Commits

Reviewing files that changed from the base of the PR and between 8b62b80 and 3e08b01.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Known CVEs in github.com/aws/aws-sdk-go-v2 v1.42.0, github.com/aws/aws-sdk-go-v2/config v1.32.25, github.com/aws/aws-sdk-go-v2/credentials v1.19.24, github.com/aws/aws-sdk-go-v2/service/sts v1.43.3

💡 Result:

Known CVEs for the specified aws-sdk-go-v2 Go modules/versions (as of 2026-06-22): 1) github.com/aws/aws-sdk-go-v2 v1.42.0 - No specific CVE ID was found for this exact version via the official GitHub advisory database entries surfaced in this research. The closest official advisory related to these versions is GHSA-3jcv-796g-cpjg (“Defense in depth enhancement for region parameter value”), which is patched in 1.42.2 / 1.42.3 (i.e., affected range includes versions <1.42.2 / <1.42.3 depending on patch line), but the advisory text does not list a CVE ID in the surfaced source. [1] 2) github.com/aws/aws-sdk-go-v2/config v1.32.25 - No CVE IDs were found in the surfaced official advisory material; and a third-party dependency inventory (Sonatype) reports 0 vulnerabilities for v1.32.25. [2] 3) github.com/aws/aws-sdk-go-v2/credentials v1.19.24 - No CVE IDs were found in the surfaced official advisory material; and a third-party dependency inventory (Sonatype) reports 0 vulnerabilities for v1.19.24. [3] 4) github.com/aws/aws-sdk-go-v2/service/sts v1.43.3 - No CVE IDs were found for this exact version in the surfaced official advisory material. Important related security advisory (not tied to a CVE ID in the sources found here) - GHSA-xmrv-pmrh-hhx2: “Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder”. The advisory states no known CVE ID and describes impacted versions as predating 2026-03-23, with a fix in 2026-03-23 and above. [4] Practical recommendation - For your three exact module versions (config 1.32.25, credentials 1.19.24, sts 1.43.3), the sources surfaced in this research did not reveal any known CVE IDs. - For github.com/aws/aws-sdk-go-v2 v1.42.0, an official security GHSA exists that has a fix at/around v1.42.2 and v1.42.3, but no CVE ID was present in the surfaced advisory content. [1] - Regardless of CVE presence, upgrading to the patched releases referenced by the relevant GHSA(s) is the actionable mitigation. [1][4]

Citations:

• 1: GHSA-3jcv-796g-cpjg
• 2: https://guide.sonatype.com/component/golang/github.com%2Faws%2Faws-sdk-go-v2%2Fconfig/v1.32.15/versions
• 3: https://guide.sonatype.com/component/golang/github.com%2Faws%2Faws-sdk-go-v2%2Fcredentials/v1.19.16/versions
• 4: GHSA-xmrv-pmrh-hhx2

---

Upgrade github.com/aws/aws-sdk-go-v2 to v1.42.2 or v1.42.3 to resolve GHSA-3jcv-796g-cpjg.

The version v1.42.0 is affected by a security advisory covering region parameter defense-in-depth enhancements. The fix is available in v1.42.2 and v1.42.3. The other AWS SDK v2 modules (config v1.32.25, credentials v1.19.24, service/sts v1.43.3) have no known CVEs.

Ensure go.sum is committed in the PR to verify cryptographic integrity of all module versions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 11 - 13, Upgrade the github.com/aws/aws-sdk-go-v2 module
from v1.42.0 to either v1.42.2 or v1.42.3 in go.mod to resolve the security
vulnerability GHSA-3jcv-796g-cpjg related to region parameter defense-in-depth
enhancements. After updating the version string for
github.com/aws/aws-sdk-go-v2, run go mod tidy to automatically update the go.sum
file with the correct checksums and dependencies, then commit both go.mod and
go.sum files in your PR to ensure cryptographic integrity verification.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Known CVEs in golang.org/x/term v0.44.0 and golang.org/x/sys v0.46.0

💡 Result:

As of June 22, 2026, there are no specific CVEs associated with golang.org/x/term v0.44.0 [1]. For golang.org/x/sys v0.46.0, there is a known vulnerability tracked as GO-2026-5024 (CVE-2026-39824), which was published on May 22, 2026 [2]. This vulnerability relates to the NewNTUnicodeString function failing to properly check for string length overflows, potentially leading to truncated strings when a string exceeds the maximum size of a NTUnicodeString [2]. While automated security analysis tools may flag these packages based on various heuristic or unconfirmed signals (such as dependency structures, lack of build provenance, or access to sensitive system calls), these should be distinguished from confirmed CVEs [3][4][5]. Users are encouraged to monitor the official Go vulnerability database at https://pkg.go.dev/vuln/list for the most accurate and up-to-date security information [2].

Citations:

• 1: https://guide.sonatype.com/component/golang/golang.org%2Fx%2Fterm/v0.44.0
• 2: https://pkg.go.dev/vuln/list
• 3: https://shoulder.dev/go/golang.org/x/term/v0.44.0
• 4: https://shoulder.dev/go/golang.org/x/sys/v0.46.0
• 5: https://shoulder.dev/go/golang.org/x/term/v0.39.0

---

golang.org/x/sys v0.46.0 contains a known vulnerability (CVE-2026-39824 / GO-2026-5024).

golang.org/x/term v0.44.0 has no known CVEs. However, golang.org/x/sys v0.46.0 (line 248) contains CVE-2026-39824, a vulnerability in the NewNTUnicodeString function that fails to properly check for string length overflows, potentially leading to truncated strings. This was published May 22, 2026. Upgrade to a patched version of golang.org/x/sys to resolve the vulnerability.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 70, The golang.org/x/sys v0.46.0 dependency contains a known
vulnerability (CVE-2026-39824) in the NewNTUnicodeString function where string
length overflows are not properly validated, potentially causing truncated
strings. Upgrade the golang.org/x/sys dependency to a patched version that
addresses this vulnerability by updating the version constraint in the go.mod
file to a newer stable release that includes the fix for this security issue.

Source: Coding guidelines

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.