fix(deps): update Go dependencies to resolve known CVEs

[raballew]

Summary

• Update Go module dependencies in controller/go.mod and controller/deploy/operator/go.mod to resolve 9 known CVEs identified by govulncheck

Go dependency updates

Module	Old	New	CVE
google.golang.org/grpc	v1.70.0	v1.80.0	GO-2026-4762 (authorization bypass)
github.com/golang-jwt/jwt/v5	v5.2.1	v5.3.1	GO-2025-3553 (memory allocation DoS)
golang.org/x/net	v0.38.0	v0.49.0	GO-2026-4441, GO-2026-4440 (parsing DoS)
github.com/go-jose/go-jose/v4	v4.0.4	v4.1.3	GO-2025-3485 (parsing DoS)
golang.org/x/crypto	v0.36.0	v0.47.0	GO-2025-4135, GO-2025-4134, GO-2025-4116 (SSH DoS)

Closes: #26

Test plan

• Verify govulncheck ./... in controller/ reports zero symbol-level vulnerabilities for the targeted modules
• Verify controller builds successfully
• Verify CI passes (Go build, lint, e2e)

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	1f5ef14
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/69d786c34db35a00088a46c6
😎 Deploy Preview	https://deploy-preview-447--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7d9dd8c-f94e-4aab-8a1f-baaf5a36c04b

📥 Commits

Reviewing files that changed from the base of the PR and between 2f2d4b3 and 1f5ef14.

⛔ Files ignored due to path filters (2)

• controller/deploy/operator/go.sum is excluded by !**/*.sum
• controller/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• controller/deploy/operator/go.mod
• controller/go.mod

✅ Files skipped from review due to trivial changes (2)

• controller/deploy/operator/go.mod
• controller/go.mod

---

📝 Walkthrough

Walkthrough

Updated Go module dependencies across two files by bumping versions for multiple packages including security-related libraries (github.com/golang-jwt/jwt/v5), cryptography modules (golang.org/x/crypto), gRPC infrastructure, and OpenTelemetry observability components.

Changes

Cohort / File(s)	Summary
Operator Go Module controller/deploy/operator/go.mod	Updated 12+ indirect dependency versions including github.com/golang-jwt/jwt/v5 (v5.3.0→v5.3.1), google.golang.org/grpc (v1.75.1→v1.80.0), OpenTelemetry components (v1.37.0→v1.39.0), and multiple golang.org/x/* utilities.
Controller Root Go Module controller/go.mod	Updated direct dependencies (github.com/go-jose/go-jose/v4, github.com/go-logr/logr, github.com/golang-jwt/jwt/v5) and 10+ transitive dependencies including google.golang.org/grpc, google.golang.org/protobuf, and OpenTelemetry modules.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• More complex e2e test scenario jumpstarter-controller#26: This PR directly addresses the HIGH severity vulnerability in github.com/golang-jwt/jwt/v5 (GHSA-mh63-6h87-95cp) by upgrading to v5.3.1, which includes the security patch for excessive memory allocation during header parsing.

Poem

🐰 Dependencies fresh and secure today,
No vulnerabilities left to delay,
gRPC flows swift, telemetry bright,
JWT tokens parsed safe through the night! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.42% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective of the changeset: updating Go dependencies to resolve CVEs, which aligns with the code changes.
Description check	✅ Passed	The description is related to the changeset and provides a clear summary of dependency updates with a table mapping modules to their versions and associated CVE fixes.
Linked Issues check	✅ Passed	The pull request successfully addresses the primary objective from issue #26: updating github.com/golang-jwt/jwt/v5 from v5.2.1 to v5.3.1, which exceeds the minimum requirement of v5.2.2 or later.
Out of Scope Changes check	✅ Passed	All changes are scoped to updating Go module dependencies in controller/go.mod and controller/deploy/operator/go.mod to resolve known CVEs, which aligns with the stated objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

controller/deploy/operator/go.mod (1)

100-107: Consider aligning OTel exporter versions with the upgraded core OTel modules.

go.opentelemetry.io/otel, /metric, /sdk, and /trace are now v1.39.0, while otlptrace/otlptracegrpc in the same file remain at v1.37.0 (Line 103-104). This mixed minor set often works, but aligning them usually reduces drift and subtle integration issues.

Suggested manifest alignment

- go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@controller/deploy/operator/go.mod` around lines 100 - 107, The go.mod has a
version mismatch: core OTel modules (go.opentelemetry.io/otel, /metric, /sdk,
/trace) are at v1.39.0 while the exporters
go.opentelemetry.io/otel/exporters/otlp/otlptrace and .../otlptracegrpc are at
v1.37.0; update the otlptrace and otlptracegrpc entries to v1.39.0 to align with
the core modules, then run module resolution (e.g., go mod tidy / go get) to
reconcile dependencies so everything uses the same minor version.

python/packages/jumpstarter/jumpstarter/common/utils_test.py (1)

65-117: Add malformed-JSON regression coverage for label parsing.

Current parsing tests are good, but adding one malformed JSON case will lock in fail-soft behavior for env corruption edge cases.

✅ Suggested test

+def test_parse_labels_malformed_json_returns_empty_dict():
+    labels = ExporterMetadata._parse_labels('{"board":"rpi4"')
+    assert labels == {}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/packages/jumpstarter/jumpstarter/common/utils_test.py` around lines 65
- 117, Add a test that ensures malformed JSON in the JMP_EXPORTER_LABELS env var
is handled fail-soft (no exception and returns empty labels); create a new test
in python/packages/jumpstarter/jumpstarter/common/utils_test.py (e.g.,
test_parse_labels_malformed_json) that sets JMP_EXPORTER_LABELS to invalid JSON
(like '{"key": "val",') and calls ExporterMetadata._parse_labels (or
ExporterMetadata.from_env) asserting it returns {} (and that from_env does not
raise and yields meta.labels == {}).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@python/packages/jumpstarter/jumpstarter/utils/env.py`:
- Around line 40-43: When parsing JMP_EXPORTER_LABELS in from_env(), guard the
json.loads(raw) call with a try/except catching json.JSONDecodeError so
malformed JSON doesn't crash env_with_metadata() or env_with_metadata_async();
on JSONDecodeError fall back to the existing legacy parsing logic (the branch
that builds labels: dict[str,str]) and log or ignore the bad JSON as appropriate
so metadata loading continues. Ensure you reference JMP_EXPORTER_LABELS parsing
in from_env() and handle the exception around the json.loads(raw) call.

---

Nitpick comments:
In `@controller/deploy/operator/go.mod`:
- Around line 100-107: The go.mod has a version mismatch: core OTel modules
(go.opentelemetry.io/otel, /metric, /sdk, /trace) are at v1.39.0 while the
exporters go.opentelemetry.io/otel/exporters/otlp/otlptrace and
.../otlptracegrpc are at v1.37.0; update the otlptrace and otlptracegrpc entries
to v1.39.0 to align with the core modules, then run module resolution (e.g., go
mod tidy / go get) to reconcile dependencies so everything uses the same minor
version.

In `@python/packages/jumpstarter/jumpstarter/common/utils_test.py`:
- Around line 65-117: Add a test that ensures malformed JSON in the
JMP_EXPORTER_LABELS env var is handled fail-soft (no exception and returns empty
labels); create a new test in
python/packages/jumpstarter/jumpstarter/common/utils_test.py (e.g.,
test_parse_labels_malformed_json) that sets JMP_EXPORTER_LABELS to invalid JSON
(like '{"key": "val",') and calls ExporterMetadata._parse_labels (or
ExporterMetadata.from_env) asserting it returns {} (and that from_env does not
raise and yields meta.labels == {}).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 240b257b-4446-41b6-94c3-4e86589b042e

📥 Commits

Reviewing files that changed from the base of the PR and between 76755c6 and 2f2d4b3.

⛔ Files ignored due to path filters (2)

• controller/deploy/operator/go.sum is excluded by !**/*.sum
• controller/go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• controller/deploy/operator/go.mod
• controller/go.mod
• python/packages/jumpstarter/jumpstarter/client/lease.py
• python/packages/jumpstarter/jumpstarter/common/utils.py
• python/packages/jumpstarter/jumpstarter/common/utils_test.py
• python/packages/jumpstarter/jumpstarter/config/env.py
• python/packages/jumpstarter/jumpstarter/utils/env.py