[WIP]Remove personal fork replace directive for filepath-securejoin

[wangke19]

Summary

This PR removes the personal fork replace directive for github.com/cyphar/filepath-securejoin that was added in PR #30746.

Problem

PR #30746 added a replace directive pointing to a personal fork (github.com/wangke19/filepath-securejoin-1) as a workaround for opencontainers/runc v1.2.5 calling the removed MkdirAllHandle function from filepath-securejoin v0.6.0.

However, this has several issues:

1. Supply chain risk — Personal forks should not be in upstream repositories
2. Maintenance burden — If the personal fork is deleted/modified, origin builds break
3. Unnecessary — go mod why shows that opencontainers/runc is not actually needed by the origin module:

   # github.com/opencontainers/runc
   (main module does not need package github.com/opencontainers/runc)
   

Solution

Remove the personal fork replace directive and use the official filepath-securejoin v0.6.0.

Since runc is only a transitive dependency (not directly used by origin), the compatibility shim in the fork is not needed.

Changes

Commit 1: Remove replace directive from go.mod

• Removed the filepath-securejoin replace directive
• Reverted to official github.com/cyphar/filepath-securejoin v0.6.0

Commit 2: Update vendor directory

• Removed mkdirall_compat_linux.go (compatibility shim from fork)
• Reverted VERSION from 0.6.1 (fork) to 0.6.0 (official)
• Updated pathrs-lite internal components to official v0.6.0 state

Testing

• go mod tidy — no errors
• go mod vendor — updated successfully
• go mod why github.com/opencontainers/runc — confirms runc is not needed by origin

Related

• Original PR: OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746 (added the personal fork)
• Future cleanup: PR OCPSTRAT-2728: Rebase 1.35 #30866 (K8s 1.35 rebase) will also remove this when it merges, as the rebase removes opencontainers/runc entirely from the dependency graph. This PR provides immediate cleanup for the current main branch.

Verification

The personal fork was only needed if opencontainers/runc was actively used by origin code. Since it's only a transitive dependency, we can safely remove it.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2602ed43-1519-4beb-822a-d44142ab2586

📥 Commits

Reviewing files that changed from the base of the PR and between 085b8a0 and da3e4f5.

⛔ Files ignored due to path filters (11)

• go.sum is excluded by !**/*.sum
• vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/mkdirall_compat_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

💤 Files with no reviewable changes (1)

• go.mod

---

Walkthrough

Removed a replace directive in go.mod that mapped github.com/cyphar/filepath-securejoin to a patched fork at github.com/wangke19/filepath-securejoin-1. The change reverts dependency resolution to use the original module path directly.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Removed replace directive for github.com/cyphar/filepath-securejoin that was redirecting to a patched fork version, reverting to direct module resolution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangke19
Once this PR has been reviewed and has the lgtm label, please assign sosiouxme for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@wangke19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	da3e4f5	link	true	/test verify
ci/prow/unit	da3e4f5	link	true	/test unit
ci/prow/images	da3e4f5	link	true	/test images
ci/prow/okd-scos-images	da3e4f5	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[wangke19]

Closing this PR as CI testing revealed the personal fork is actually required.

Root Cause

The personal fork github.com/wangke19/filepath-securejoin-1 provides a compatibility shim for MkdirAllHandle() which was removed in filepath-securejoin v0.6.0.

opencontainers/runc v1.2.5 (used transitively via Kubernetes kubelet) still calls this old API:

vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go:334:
    return securejoin.MkdirAllHandle(rootDir, unsafePath, mode)

Without the compatibility shim, builds fail with:

vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go:334:20: 
    undefined: securejoin.MkdirAllHandle

Why go mod why Was Misleading

go mod why github.com/opencontainers/runc reported "(main module does not need package)", but this only checks if the main module directly imports runc. It doesn't check transitive usage through vendor dependencies like Kubernetes.

Next Steps

Created issue #30890 to track migrating from the personal fork to an organization fork (github.com/openshift/filepath-securejoin) to eliminate the supply chain risk while maintaining build compatibility.

Lessons Learned

Updated my development guidelines to be more conservative about dependency changes and to always verify with actual builds, not just go mod why.