chore(deps): update module golang.org/x/oauth2 to v0.27.0 [security] (release-1.19)

[crossplane-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/oauth2	v0.21.0 -> v0.27.0

---

Unexpected memory consumption during token parsing in golang.org/x/oauth2

CVE-2025-22868 / GHSA-6v2p-p543-phr9 / GO-2025-3488

More information

Details

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Severity

Unknown

References

• https://go.dev/cl/652155
• https://go.dev/issue/71490

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

CVE-2025-22868 / GHSA-6v2p-p543-phr9 / GO-2025-3488

More information

Details

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22868
• https://go.dev/cl/652155
• https://go.dev/issue/71490
• https://pkg.go.dev/vuln/GO-2025-3488

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[crossplane-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod

Command failed: earthly --strict +go-generate
 Init 🚀
————————————————————————————————————————————————————————————————————————————————

           buildkitd | Found buildkit daemon as docker container (earthly-buildkitd)

 Build 🔧
————————————————————————————————————————————————————————————————————————————————

              logbus | Setting organization "crossplane" and project "crossplane-runtime"
        +go-generate | --> FROM +base
        +go-generate | --> FROM +go-modules
         +go-modules | --> FROM +base
       golang:1.22.3 | --> Load metadata golang:1.22.3 linux/amd64
         +go-modules | --> FROM golang:1.22.3
         +go-modules | [----------] 100% FROM golang:1.22.3�[K
         +go-modules | *cached* --> WORKDIR /crossplane
         +go-modules | *cached* --> COPY go.mod go.sum ./
         +go-modules | --> RUN go mod download
         +go-modules | go: go.mod requires go >= 1.23.0 (running go 1.22.3; GOTOOLCHAIN=local)
         +go-modules | ERROR Earthfile:48:2
         +go-modules |       The command
         +go-modules |           RUN go mod download
         +go-modules |       did not complete successfully. Exit code 1

================================== ❌ FAILURE ===================================

         +go-modules *failed* | Repeating the failure error...
         +go-modules *failed* | --> RUN go mod download
         +go-modules *failed* | go: go.mod requires go >= 1.23.0 (running go 1.22.3; GOTOOLCHAIN=local)
         +go-modules *failed* | ERROR Earthfile:48:2
         +go-modules *failed* |       The command
         +go-modules *failed* |           RUN go mod download
         +go-modules *failed* |       did not complete successfully. Exit code 1

Help: To debug your build, you can use the --interactive (-i) flag to drop into a shell of the failing RUN step: "earthly -i --strict +go-generate"

🛰️ Reuse cache between CI runs with Earthly Satellites! 2-20X faster than without cache. Generous free tier https://cloud.earthly.dev

[jbw976]

v1.19 will no longer be supported with the upcoming v2.1 release next week, closing this out

[crossplane-renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v0.27.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.