-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go.mod: update dependencies #1657
base: master
Are you sure you want to change the base?
Conversation
testing notaryproject/notary#1657 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Ah, I think this may be the "good ol" permissions issue;
Executing busybox-1.35.0-r15.trigger
OK: 22 MiB in 25 packages
go: downloading github.com/docker/distribution v2.8.1+incompatible
...
go: downloading github.com/cespare/xxhash v1.1.0
These files were modified:
?? vendor/github.com/docker/go-metrics/LICENSE This is an actual failure; looks like some changes are needed for compatibility with Prometheus updates;
|
whoops, nope, was my mistake, didn't stage a file 😂 |
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
b34cef2
to
1ded4f0
Compare
The old code was no longer compatible with current versions of prometheus. This switches the code to use docker/go-metrics, which is compatible with current versions of prometheus, and already in use in other code in the dependency tree. I tried to keep the metrics the same as before, but there may be some differences. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. full diff: golang/term@f5c789d...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. full diff: golang/sys@bc2c85a...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. includes fixes for CVE-2022-32149 (v0.3.8) full diff: golang/text@v0.3.3...v0.4.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. - updates to a version that fixes CVE-2022-27664 full diff: golang/net@f585440...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib: Beginning with Go 1.13, the functionality of this package was moved to the standard library as crypto/ed25519. This package only acts as a compatibility wrapper. full diff: golang/crypto@f585440...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Adds go.mod support full diff: dvsekhvalnov/jose2go@248326c...v1.5.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
…e27f20d full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: sirupsen/logrus@v1.7.1...v1.9.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: miekg/pkcs11@v1.0.3...v1.1.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
contains fixes for CVE-2021-3121 "skippy peanut butter" full diff: gogo/protobuf@v1.0.0...v1.3.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
removes the deprecated github.com/BurntSushi/toml dependency full diff: spf13/viper@be5ff3e...v1.13.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
This is a dependency for docker/distribution, which does not yet use go modules, so indirect dependencies aren't updated automatically. image-spec v1.0.2 contains mitigations for CVE-2021-41190. full diff: opencontainers/image-spec@v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: distribution/distribution@v2.7.1...v2.8.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: gorilla/mux@v1.7.0...v1.8.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
not the latest version, but this version looks to be commonly used in various projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1) full diff: prometheus/client_golang@c332b6f...v1.12.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
adds go.mod full diff: docker/go-metrics@c332b6f...v0.0.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
not using latest version, as that brings many indirect dependencies (through cobra) - removes github.com/gogo/protobuf dependency - unfortunately, brings back golang.org/x/crypto/ed25519 (will open a PR for that) Signed-off-by: Sebastiaan van Stijn <[email protected]>
updating the indirect dependency to match other projects; this version adds a go.mod; matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
1ded4f0
to
1c7f718
Compare
Interesting; breaking change in golang/x/sys?
|
This PR updates most dependencies to a more current version, better reflecting
the versions of these dependencies that are used in code consuming the notary
module. By updating, we're able to verify that the code in this repository doesn't
break with the newer versions.
There's a couple more dependencies to update, but some of those may require local
changes, so doing that separately.
I split the updates into many commits, picking an order of updates that allowed
for individual dependencies to be updated (using a different order often led to
many dependencies to be updated at once, which makes reviewing the changes more
difficult). I included a link to the "full" diff for each update to assist in
reviewing as well.
I'm keeping this in draft for now, as I'm planning to do a round of "draft" PRs
in repositories that use notary as a dependency, to verify these updates are all
compatible (there's some indirect dependencies that are known to be problemeatic).
go.mod: github.com/spf13/cobra v1.6.1
Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed
full diff: spf13/cobra@v1.6.0...v1.6.1
go.mod: golang.org/x/term v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/term@f5c789d...v0.1.0
go.mod: golang.org/x/sys v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/sys@bc2c85a...v0.1.0
go.mod: golang.org/x/text v0.4.0
The golang.org/x/ projects now tag releases.
includes fixes for CVE-2022-32149 (v0.3.8)
full diff: golang/text@v0.3.3...v0.4.0
go.mod: golang.org/x/net v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/net@f585440...v0.1.0
go.mod: golang.org/x/crypto v0.1.0
The golang.org/x/ projects now tag releases.
Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:
full diff: golang/crypto@f585440...v0.1.0
go.mod: github.com/dvsekhvalnov/jose2go v1.5.0
Adds go.mod support
full diff: dvsekhvalnov/jose2go@248326c...v1.5.0
go.mod: github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d
full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2
go.mod: github.com/sirupsen/logrus v1.9.0
full diff: sirupsen/logrus@v1.7.1...v1.9.0
go.mod: github.com/miekg/pkcs11 v1.0.3
full diff: miekg/pkcs11@v1.0.3...v1.1.1
go.mod: github.com/stretchr/testify v1.8.1
go.mod: google.golang.org/protobuf v1.28.0
go.mod: github.com/gogo/protobuf v1.3.2
contains fixes for CVE-2021-3121 "skippy peanut butter"
full diff: gogo/protobuf@v1.0.0...v1.3.2
go.mod: github.com/spf13/viper v1.13.0
removes the deprecated github.com/BurntSushi/toml dependency
full diff: spf13/viper@be5ff3e...v1.13.0
go.mod: github.com/opencontainers/image-spec v1.0.2
This is a dependency for docker/distribution, which does not yet use go modules,
so indirect dependencies aren't updated automatically.
image-spec v1.0.2 contains mitigations for CVE-2021-41190.
full diff: opencontainers/image-spec@v1.0.1...v1.0.2
go.mod: github.com/docker/distribution v2.8.1
full diff: distribution/distribution@v2.7.1...v2.8.1
go.mod: github.com/gorilla/mux v1.8.0
full diff: gorilla/mux@v1.7.0...v1.8.0
go.mod: github.com/prometheus/client_golang v1.12.1
not the latest version, but this version looks to be commonly used in various
projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1)
full diff: prometheus/client_golang@c332b6f...v1.12.1
go.mod: github.com/docker/go-metrics v0.0.1
adds go.mod
full diff: docker/go-metrics@c332b6f...v0.0.1
go.mod: github.com/cloudflare/cfssl v1.5.0
go.mod: github.com/matttproud/golang_protobuf_extensions v1.0.2
updating the indirect dependency to match other projects; this version adds
a go.mod;
full diff: matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2