fix: bump vulnerable go dependencies#696
Closed
weicao wants to merge 1 commit into
Closed
Conversation
Collaborator
|
This branch name is not following the standards: feature/|bugfix/|release/|hotfix/|support/|releasing/|dependabot/ |
Contributor
Author
|
Closing this draft because the branch name |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
修复 kbcli Dependabot security 页里可以在当前依赖体系下安全升级的 Go 依赖:
golang.org/x/netv0.54.0 -> v0.55.0github.com/go-git/go-git/v5v5.16.5 -> v5.19.1github.com/go-git/go-billy/v5v5.6.2 -> v5.9.0oras.land/oras-go/v2v2.6.0 -> v2.6.2github.com/containerd/containerdv1.7.32 -> v1.7.33go.mongodb.org/mongo-driverv1.15.1 -> v1.17.7预期覆盖的 Dependabot alerts:
golang.org/x/net < 0.55.0oras.land/oras-go/v2vulnerable ranges up to2.6.1or< 2.6.1github.com/containerd/containerd < 1.7.33go.mongodb.org/mongo-driver < 1.17.7github.com/go-git/go-git/v5github.com/go-git/go-billy/v5 < 5.9.0Validation
go mod tidygo test ./...git diff --checkgo list -m all | rg ...确认目标模块版本Boundaries
这轮没有强行修以下 alert,因为本地验证证明会破坏当前 kbcli 编译,或者上游没有可用 patched version:
helm.sh/helm/v3: 升到v3.20.2会拉入 Kubernetesv0.35.1/structured-merge-diff/v6。在仓库现有replace k8s.io/* => v0.29.14下会出现structured-merge-diff/v6vsv4类型不匹配;把 k8s replace 也整体升到v0.35.1又会和controller-runtime v0.17.2、troubleshoot v0.57.0旧 API 不兼容。github.com/docker/cli/github.com/docker/docker后,ORAS v1 和 k3d 仍引用旧github.com/docker/docker/...类型,而新版 Docker CLI/client 已拆到github.com/moby/moby/...,导致类型不兼容。oras.land/oras-gov1: Dependabot 标记的 advisory 没有first_patched_version,当前可见 v1 最新仍是v1.2.7,本 PR 不伪造不可验证的修复。