build(deps): bump k8s.io/api from 0.26.0 to 0.34.2 in /k8s

[dependabot]

Bumps k8s.io/api from 0.26.0 to 0.34.2.

Commits

• e28454b Update dependencies to v0.34.2 tag
• 133a39c Merge remote-tracking branch 'origin/master' into release-1.34
• fd087be clarify that staging repos are automatically published
• ff163ef add pointer to CONTRIBUTING.md for more details on contributing, clarify read...
• 5ec86fc link to what a staging repository is
• 08c5dee docs: clarify that this is a staging repository and not for direct contributions
• ba64d0b Update prerelease lifecycle to v1.34
• 25f849c Merge pull request #132522 from sunya-ch/KEP-5075-PR
• baa1eb1 KEP-5075: generated codes from make update
• 740b2c9 KEP-5075: API updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade Kubernetes API in /k8s from v0.26.0 to v0.34.2 to track Kubernetes 1.34. This also updates related dependencies and raises the module to Go 1.24 for compatibility and security.

• Dependencies

  • k8s.io/api and k8s.io/apimachinery → v0.34.2; gomega → v1.35.1.
  • Notable indirect changes: structured-merge-diff → v6, klog v2 → v2.130.1, yaml → v1.6.0, x/net/sys/text updated; added CBOR and float16 libs.
  • client-go remains at v0.26.0 (possible API skew).

• Migration

  • Update CI and local toolchains to Go 1.24.
  • Align k8s.io/client-go (and any generators) to v0.34.x to avoid mismatches.
  • Re-run codegen and tests; review any API changes between 1.26 and 1.34.

^{Written for commit 57bb46e. Summary will update automatically on new commits.}

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code analysis shows clean changes with no direct vulnerabilities, the dependency analysis reveals critical security risks that must be addressed. The PR introduces 9 CVEs in golang.org/x/net including CVE-2023-44487 (HTTP/2 Rapid Reset attack, CISA KEV listed) and CVE-2023-45288 (98.378 EPSS percentile indicating high exploitation likelihood). These vulnerabilities exist in a transitive dependency path through ginkgo→gomega→golang.org/x/net version 0.3.1. The core Kubernetes API update to 0.34.2 and Go stdlib upgrade to 1.24.0 are beneficial changes, but the critical security vulnerabilities pose immediate risk that outweighs these benefits. Action required: Update golang.org/x/net to v0.47.0 before proceeding with this PR.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

• Critical: Update golang.org/x/net to fix 9 security vulnerabilities. The vulnerable version 0.3.1-0.20221206200815-1e63c2f08a10 contains multiple CVEs including CVE-2023-44487 (HTTP/2 Rapid Reset - CISA KEV listed) and CVE-2023-45288 (EPSS 98.378 percentile). Dependency path: github.com/onsi/ginkgo → github.com/onsi/gomega → golang.org/x/net. Fix command: Update golang.org/x/net to v0.47.0
• Several dependencies show maintenance concerns (github.com/kr/text, k8s.io/klog/v2, sigs.k8s.io/yaml, github.com/modern-go/reflect2, github.com/google/go-cmp, sigs.k8s.io/json) with low maintenance scores. While not blocking, monitor these dependencies for future updates and consider alternatives if maintenance issues persist.
• Positive changes: Go stdlib updated from 1.18 to 1.24.0 (significant security and performance improvements), and k8s.io API components updated to 0.34.2 (latest stable). The core Kubernetes dependencies are well-maintained and from trusted sources.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 57bb46e, performed at: 2025-11-13T11:03:07Z

Found this helpful? Give it a 👍 or 👎 reaction!

[cubic-dev-ai]

No issues found across 2 files