Skip to content

fix: bump vulnerable go dependencies#696

Closed
weicao wants to merge 1 commit into
mainfrom
ava/fix-dependabot-security-20260714
Closed

fix: bump vulnerable go dependencies#696
weicao wants to merge 1 commit into
mainfrom
ava/fix-dependabot-security-20260714

Conversation

@weicao

@weicao weicao commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

修复 kbcli Dependabot security 页里可以在当前依赖体系下安全升级的 Go 依赖:

  • golang.org/x/net v0.54.0 -> v0.55.0
  • github.com/go-git/go-git/v5 v5.16.5 -> v5.19.1
  • github.com/go-git/go-billy/v5 v5.6.2 -> v5.9.0
  • oras.land/oras-go/v2 v2.6.0 -> v2.6.2
  • github.com/containerd/containerd v1.7.32 -> v1.7.33
  • go.mongodb.org/mongo-driver v1.15.1 -> v1.17.7

预期覆盖的 Dependabot alerts:

Validation

  • go mod tidy
  • go test ./...
  • git diff --check
  • go list -m all | rg ... 确认目标模块版本

Boundaries

这轮没有强行修以下 alert,因为本地验证证明会破坏当前 kbcli 编译,或者上游没有可用 patched version:

@github-actions github-actions Bot added the size/M Denotes a PR that changes 30-99 lines. label Jul 14, 2026
@apecloud-bot

Copy link
Copy Markdown
Collaborator

This branch name is not following the standards: feature/|bugfix/|release/|hotfix/|support/|releasing/|dependabot/

@weicao

weicao commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Closing this draft because the branch name ava/fix-dependabot-security-20260714 fails kbcli PR Pre-Check branch policy. Recreated with allowed branch prefix hotfix/fix-dependabot-security-20260714.

@weicao weicao closed this Jul 14, 2026
@github-actions github-actions Bot added this to the Release 1.0 milestone Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/M Denotes a PR that changes 30-99 lines.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants