Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: bump several dependency versions to avoid vulnerabilities #1338

Merged
merged 8 commits into from
Jul 6, 2022
Merged

go.mod: bump several dependency versions to avoid vulnerabilities #1338

merged 8 commits into from
Jul 6, 2022

Conversation

knusbaum
Copy link
Contributor

go.mongodb.org/mongo-driver -> v1.7.5
golang/github.com/jinzhu/gorm -> v1.9.10

Fixes #1335

@knusbaum
go.mod: bump several dependency versions to avoid vulnerabilities
7e8b61e 
go.mongodb.org/mongo-driver -> v1.7.5
golang/github.com/jinzhu/gorm -> v1.9.10

Fixes #1335
@knusbaum knusbaum added this to the 1.39.0 milestone Jun 14, 2022
@knusbaum knusbaum requested a review from a team as a code owner June 14, 2022 21:21
nsrip-dd
nsrip-dd reviewed Jun 15, 2022
View reviewed changes
Copy link
Contributor

@nsrip-dd nsrip-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Kyle! If you think it would be appropriate, I can open a PR to change the jiznhu/gorm tests so they don't break because of slight changes in the SQL query text formatting (like this failure). Other than those failures I suspect this upgrade doesn't actually break that integration.

@knusbaum
Copy link
Contributor Author

Thanks, @nsrip-dd. I have time to go ahead and fix those tests.

I agree, the upgrade doesn't break the integration. We just happen to depend on specific behavior from that specific version for the tests. Not ideal, but it's fine for now.

@knusbaum knusbaum requested a review from a team June 15, 2022 17:17
@knusbaum knusbaum requested a review from nsrip-dd June 15, 2022 17:41
nsrip-dd
nsrip-dd previously approved these changes Jun 15, 2022
View reviewed changes
@nsrip-dd
contrib/jinzhu/gorm: don't depend on query text for tests
57ef868 
The spans should be tagged with the query, but the exact format of the
query can change between gorm library versions (e.g. inserting extra
whitespace). We can get the text through a callback and compare against
that rather than hard-coding the text.
@nsrip-dd
contrib/gorm.io/gorm.v1: don't depend on query text for tests
56c1012
@nsrip-dd
Merge branch 'nick.ripley/fix-jinzhu-gorm-tests' into knusbaum/securi…
2a1c989 
…ty-bump
knusbaum
knusbaum commented Jun 15, 2022
View reviewed changes
Copy link
Contributor Author

@knusbaum knusbaum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nsrip-dd very nice fix.

@knusbaum knusbaum requested a review from nsrip-dd June 22, 2022 15:00
katiehockman
katiehockman approved these changes Jun 22, 2022
View reviewed changes
go.mod
@@ -42,8 +41,7 @@ require (
github.com/gomodule/redigo v1.7.0
github.com/google/pprof v0.0.0-20210423192551-a2663126120b
github.com/google/uuid v1.3.0
github.com/gorilla/context v1.1.1 // indirect
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Were these other go.mod changes just from go mod tidy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly.

@Hellzy Hellzy modified the milestones: 1.39.0, 1.40.0 Jul 1, 2022
@nsrip-dd nsrip-dd merged commit f58e92f into main Jul 6, 2022
@nsrip-dd nsrip-dd deleted the knusbaum/security-bump branch July 6, 2022 13:41
@kimi-p kimi-p mentioned this pull request Jul 18, 2022
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katiehockman katiehockman katiehockman approved these changes

@nsrip-dd nsrip-dd nsrip-dd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.40.0
Development

Successfully merging this pull request may close these issues.

nancy scan for vulnerabilities on dd-trace 1.38.1
4 participants
@knusbaum @katiehockman @nsrip-dd @Hellzy