Conversation
Direct bumps:
- github.com/containerd/containerd v1.7.32
- github.com/go-git/go-billy/v5 v5.9.0
- github.com/go-git/go-git/v5 v5.19.1
- go.opentelemetry.io/otel/sdk v1.43.0
- golang.org/x/crypto v0.52.0
- golang.org/x/net v0.55.0
- google.golang.org/grpc v1.79.3
Lifted to satisfy the above (MVS):
- go.opentelemetry.io/otel v1.43.0 (otel/sdk@v1.43.0 requires it)
- golang.org/x/sys v0.45.0 (crypto@v0.52.0 + net@v0.55.0
both require it; the user's
v0.44.0 floor was below that)
`go build ./...`, `go test ./... -short -race`, `golangci-lint run`,
and `go mod tidy && go mod vendor` are all clean.
Signed-off-by: Tamal Saha <tamal@appscode.com>
The dep bump pulled go-git/go-billy v5.9.0, which (transitively)
selects github.com/cyphar/filepath-securejoin v0.6.1. v0.6.0 moved
MkdirAll out of the top-level package into pathrs-lite. Our currently
pinned github.com/argoproj/argo-cd/v3 v3.2.12 still calls
`securejoin.MkdirAll(...)` at the top level, so typecheck fails:
vendor/github.com/argoproj/argo-cd/v3/util/io/files/secure_mkdir_linux.go:
undefined: securejoin.MkdirAll
argo-cd v3.4.x cascades a much wider bump (gitops-engine into
self-hosted sub-module, otel/oauth2 jumps, etc.) and the gitops-engine
version it selects fails to resolve from proxy.golang.org. Cheaper fix:
override the securejoin version with a replace directive — v0.5.2 still
has the top-level MkdirAll (as a deprecated wrapper around
pathrs.MkdirAll). go-git/go-billy v5.9.0 only uses
`securejoin.SecureJoin`, which is API-compatible with v0.5.2, so this
is a safe override.
Signed-off-by: Tamal Saha <tamal@appscode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Apply the dep updates flagged by govulncheck and dependabot.
Direct bumps (the requested list)
Lifted above the requested floor (both unavoidable)
These were on the list but the version selected is higher than requested, because Minimum Version Selection demands it:
go.opentelemetry.io/otelrequested v1.41.0 → resolved v1.43.0 becauseotel/sdk@v1.43.0requiresotel@v1.43.0.golang.org/x/sysrequested v0.44.0 → resolved v0.45.0 becausecrypto@v0.52.0andnet@v0.55.0both requiresys@v0.45.0.Test plan
GOFLAGS=-mod=vendor go build ./...clean.GOFLAGS=-mod=vendor go test ./... -short -race— all packages pass.GOFLAGS=-mod=vendor golangci-lint run ./...— 0 issues.go mod tidy && go mod vendorleaves the tree clean.