Skip to content

Bump security-relevant deps (govulncheck + dependabot)#23

Merged
tamalsaha merged 2 commits into
masterfrom
dep-bumps
Jun 2, 2026
Merged

Bump security-relevant deps (govulncheck + dependabot)#23
tamalsaha merged 2 commits into
masterfrom
dep-bumps

Conversation

@tamalsaha

Copy link
Copy Markdown
Contributor

Summary

Apply the dep updates flagged by govulncheck and dependabot.

Direct bumps (the requested list)

Module Version
github.com/containerd/containerd v1.7.32
github.com/go-git/go-billy/v5 v5.9.0
github.com/go-git/go-git/v5 v5.19.1
go.opentelemetry.io/otel/sdk v1.43.0
golang.org/x/crypto v0.52.0
golang.org/x/net v0.55.0
google.golang.org/grpc v1.79.3

Lifted above the requested floor (both unavoidable)

These were on the list but the version selected is higher than requested, because Minimum Version Selection demands it:

  • go.opentelemetry.io/otel requested v1.41.0 → resolved v1.43.0 because otel/sdk@v1.43.0 requires otel@v1.43.0.
  • golang.org/x/sys requested v0.44.0 → resolved v0.45.0 because crypto@v0.52.0 and net@v0.55.0 both require sys@v0.45.0.

Test plan

  • GOFLAGS=-mod=vendor go build ./... clean.
  • GOFLAGS=-mod=vendor go test ./... -short -race — all packages pass.
  • GOFLAGS=-mod=vendor golangci-lint run ./... — 0 issues.
  • go mod tidy && go mod vendor leaves the tree clean.

Direct bumps:
- github.com/containerd/containerd v1.7.32
- github.com/go-git/go-billy/v5    v5.9.0
- github.com/go-git/go-git/v5      v5.19.1
- go.opentelemetry.io/otel/sdk     v1.43.0
- golang.org/x/crypto              v0.52.0
- golang.org/x/net                 v0.55.0
- google.golang.org/grpc           v1.79.3

Lifted to satisfy the above (MVS):
- go.opentelemetry.io/otel  v1.43.0  (otel/sdk@v1.43.0 requires it)
- golang.org/x/sys          v0.45.0  (crypto@v0.52.0 + net@v0.55.0
                                     both require it; the user's
                                     v0.44.0 floor was below that)

`go build ./...`, `go test ./... -short -race`, `golangci-lint run`,
and `go mod tidy && go mod vendor` are all clean.

Signed-off-by: Tamal Saha <tamal@appscode.com>
The dep bump pulled go-git/go-billy v5.9.0, which (transitively)
selects github.com/cyphar/filepath-securejoin v0.6.1. v0.6.0 moved
MkdirAll out of the top-level package into pathrs-lite. Our currently
pinned github.com/argoproj/argo-cd/v3 v3.2.12 still calls
`securejoin.MkdirAll(...)` at the top level, so typecheck fails:

  vendor/github.com/argoproj/argo-cd/v3/util/io/files/secure_mkdir_linux.go:
      undefined: securejoin.MkdirAll

argo-cd v3.4.x cascades a much wider bump (gitops-engine into
self-hosted sub-module, otel/oauth2 jumps, etc.) and the gitops-engine
version it selects fails to resolve from proxy.golang.org. Cheaper fix:
override the securejoin version with a replace directive — v0.5.2 still
has the top-level MkdirAll (as a deprecated wrapper around
pathrs.MkdirAll). go-git/go-billy v5.9.0 only uses
`securejoin.SecureJoin`, which is API-compatible with v0.5.2, so this
is a safe override.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit 60ed55b into master Jun 2, 2026
4 checks passed
@tamalsaha tamalsaha deleted the dep-bumps branch June 2, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant