go.mod: update dependencies #1657
Draft
+151,239
−30,168
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
added a commit
to thaJeztah/buildx
that referenced
this pull request
Nov 6, 2022
testing notaryproject/notary#1657 Signed-off-by: Sebastiaan van Stijn <[email protected]>
|
Ah, I think this may be the "good ol" permissions issue;
Executing busybox-1.35.0-r15.trigger
OK: 22 MiB in 25 packages
go: downloading github.com/docker/distribution v2.8.1+incompatible
...
go: downloading github.com/cespare/xxhash v1.1.0
These files were modified:
?? vendor/github.com/docker/go-metrics/LICENSEThis is an actual failure; looks like some changes are needed for compatibility with Prometheus updates; |
whoops, nope, was my mistake, didn't stage a file 😂 |
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
update_deps2
branch
from
b34cef2
to
1ded4f0
Compare
The old code was no longer compatible with current versions of prometheus. This switches the code to use docker/go-metrics, which is compatible with current versions of prometheus, and already in use in other code in the dependency tree. I tried to keep the metrics the same as before, but there may be some differences. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. full diff: golang/term@f5c789d...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. full diff: golang/sys@bc2c85a...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. includes fixes for CVE-2022-32149 (v0.3.8) full diff: golang/text@v0.3.3...v0.4.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases. - updates to a version that fixes CVE-2022-27664 full diff: golang/net@f585440...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.
Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:
Beginning with Go 1.13, the functionality of this package was moved to the
standard library as crypto/ed25519. This package only acts as a compatibility
wrapper.
full diff: golang/crypto@f585440...v0.1.0
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Adds go.mod support full diff: dvsekhvalnov/jose2go@248326c...v1.5.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
…e27f20d full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: sirupsen/logrus@v1.7.1...v1.9.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: miekg/pkcs11@v1.0.3...v1.1.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
contains fixes for CVE-2021-3121 "skippy peanut butter" full diff: gogo/protobuf@v1.0.0...v1.3.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
removes the deprecated github.com/BurntSushi/toml dependency full diff: spf13/viper@be5ff3e...v1.13.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
This is a dependency for docker/distribution, which does not yet use go modules, so indirect dependencies aren't updated automatically. image-spec v1.0.2 contains mitigations for CVE-2021-41190. full diff: opencontainers/image-spec@v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: distribution/distribution@v2.7.1...v2.8.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: gorilla/mux@v1.7.0...v1.8.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
not the latest version, but this version looks to be commonly used in various projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1) full diff: prometheus/client_golang@c332b6f...v1.12.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
adds go.mod full diff: docker/go-metrics@c332b6f...v0.0.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
not using latest version, as that brings many indirect dependencies (through cobra) - removes github.com/gogo/protobuf dependency - unfortunately, brings back golang.org/x/crypto/ed25519 (will open a PR for that) Signed-off-by: Sebastiaan van Stijn <[email protected]>
updating the indirect dependency to match other projects; this version adds a go.mod; matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
update_deps2
branch
from
1ded4f0
to
1c7f718
Compare
|
Interesting; breaking change in golang/x/sys? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates most dependencies to a more current version, better reflecting
the versions of these dependencies that are used in code consuming the notary
module. By updating, we're able to verify that the code in this repository doesn't
break with the newer versions.
There's a couple more dependencies to update, but some of those may require local
changes, so doing that separately.
I split the updates into many commits, picking an order of updates that allowed
for individual dependencies to be updated (using a different order often led to
many dependencies to be updated at once, which makes reviewing the changes more
difficult). I included a link to the "full" diff for each update to assist in
reviewing as well.
I'm keeping this in draft for now, as I'm planning to do a round of "draft" PRs
in repositories that use notary as a dependency, to verify these updates are all
compatible (there's some indirect dependencies that are known to be problemeatic).
go.mod: github.com/spf13/cobra v1.6.1
Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed
full diff: spf13/cobra@v1.6.0...v1.6.1
go.mod: golang.org/x/term v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/term@f5c789d...v0.1.0
go.mod: golang.org/x/sys v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/sys@bc2c85a...v0.1.0
go.mod: golang.org/x/text v0.4.0
The golang.org/x/ projects now tag releases.
includes fixes for CVE-2022-32149 (v0.3.8)
full diff: golang/text@v0.3.3...v0.4.0
go.mod: golang.org/x/net v0.1.0
The golang.org/x/ projects now tag releases.
full diff: golang/net@f585440...v0.1.0
go.mod: golang.org/x/crypto v0.1.0
The golang.org/x/ projects now tag releases.
Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:
full diff: golang/crypto@f585440...v0.1.0
go.mod: github.com/dvsekhvalnov/jose2go v1.5.0
Adds go.mod support
full diff: dvsekhvalnov/jose2go@248326c...v1.5.0
go.mod: github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d
full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2
go.mod: github.com/sirupsen/logrus v1.9.0
full diff: sirupsen/logrus@v1.7.1...v1.9.0
go.mod: github.com/miekg/pkcs11 v1.0.3
full diff: miekg/pkcs11@v1.0.3...v1.1.1
go.mod: github.com/stretchr/testify v1.8.1
go.mod: google.golang.org/protobuf v1.28.0
go.mod: github.com/gogo/protobuf v1.3.2
contains fixes for CVE-2021-3121 "skippy peanut butter"
full diff: gogo/protobuf@v1.0.0...v1.3.2
go.mod: github.com/spf13/viper v1.13.0
removes the deprecated github.com/BurntSushi/toml dependency
full diff: spf13/viper@be5ff3e...v1.13.0
go.mod: github.com/opencontainers/image-spec v1.0.2
This is a dependency for docker/distribution, which does not yet use go modules,
so indirect dependencies aren't updated automatically.
image-spec v1.0.2 contains mitigations for CVE-2021-41190.
full diff: opencontainers/image-spec@v1.0.1...v1.0.2
go.mod: github.com/docker/distribution v2.8.1
full diff: distribution/distribution@v2.7.1...v2.8.1
go.mod: github.com/gorilla/mux v1.8.0
full diff: gorilla/mux@v1.7.0...v1.8.0
go.mod: github.com/prometheus/client_golang v1.12.1
not the latest version, but this version looks to be commonly used in various
projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1)
full diff: prometheus/client_golang@c332b6f...v1.12.1
go.mod: github.com/docker/go-metrics v0.0.1
adds go.mod
full diff: docker/go-metrics@c332b6f...v0.0.1
go.mod: github.com/cloudflare/cfssl v1.5.0
go.mod: github.com/matttproud/golang_protobuf_extensions v1.0.2
updating the indirect dependency to match other projects; this version adds
a go.mod;
full diff: matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2