chore(deps): update module golang.org/x/crypto to v0.35.0 [security] (release-3.4.x)

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/crypto	v0.31.0 -> v0.35.0

---

Potential denial of service in golang.org/x/crypto

CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487

More information

Details

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Severity

Unknown

References

• https://go.dev/cl/652135
• https://go.dev/issue/71931

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487

More information

Details

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22869
• https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22
• https://github.com/golang/crypto
• https://go-review.googlesource.com/c/crypto/+/652135
• https://go.dev/cl/652135
• https://go.dev/issue/71931
• https://pkg.go.dev/vuln/GO-2025-3487
• https://security.netapp.com/advisory/ntap-20250411-0010

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[renovate-sh-app]

ℹ Artifact update notice

File name: operator/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.0 -> 1.23.0
go (toolchain)	1.22.5 -> 1.24.8
golang.org/x/sync	v0.10.0 -> v0.11.0
golang.org/x/sys	v0.28.0 -> v0.30.0
golang.org/x/term	v0.27.0 -> v0.29.0
golang.org/x/text	v0.21.0 -> v0.22.0

[CLAassistant]

All committers have signed the CLA.

[github-actions]

😢 zizmor failed with exit code 14.

Expand for full output

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/images.yml:44:7
   |
44 |       "uses": "actions/setup-node@v4"
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
86 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
   |       --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:141:7
    |
141 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
166 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:264:7
    |
264 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
289 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:387:7
    |
387 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
412 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:510:7
    |
510 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
535 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:220:7
    |
220 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
248 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:293:7
    |
293 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
321 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:366:7
    |
366 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
394 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:445:7
    |
445 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
473 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:518:7
    |
518 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
546 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:597:7
    |
597 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
625 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:676:7
    |
676 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
704 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:848:7
    |
848 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
876 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:927:7
    |
927 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
955 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:62:7
     |
  62 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:220:7
     |
 220 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:293:7
     |
 293 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:366:7
     |
 366 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:445:7
     |
 445 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:518:7
     |
 518 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:597:7
     |
 597 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:676:7
     |
 676 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:753:7
     |
 753 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:848:7
     |
 848 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:927:7
     |
 927 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:1003:7
     |
1003 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/release.yml:44:7
    |
 44 |         uses: "actions/setup-node@v4"
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
435 | / "on":
436 | |   push:
437 | |     branches:
438 | |     - "release-[0-9]+.[0-9]+.x"
439 | |     - "k[0-9]+"
440 | |     - "main"
    | |____________- generally used when publishing artifacts generated at runtime
    |
    = note: audit confidence → Low

334 findings (9 ignored, 298 suppressed): 0 informational, 0 low, 0 medium, 27 high