-
-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump target Go version to 1.20 #1118
Conversation
This change bumps the minimum Go version to 1.18 to take advantage of a number of fixes to the language, while matching the minimum version for a number of key dependencies which have been moving away from Go 1.15. This change drops support for Go 1.15 in the Exercism CLI.
``` ~> go1.18.10 fix ./... ```
This change bumps spf13/viper to address reported vulnerabilities in yaml.v2 ``` ~> govulncheck -test ./... Scanning your code and 210 packages across 21 dependent modules for known vulnerabilities... Vulnerability #1: GO-2022-0956 Excessive resource consumption in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2022-0956 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.4 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal Vulnerability exercism#2: GO-2021-0061 Denial of service in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2021-0061 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.3 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal Vulnerability exercism#3: GO-2020-0036 Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2020-0036 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.8 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal ```
This change officially removes Go 1.15 from the testing matrix and adds the Go versions used for supporting the Exercism CLI. Namely Go 1.19, 1.20, and 1.21.x.
* Bump Go tooling to use 1.20.x for release and testing. ``` Scanning your code and 207 packages across 19 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#3: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.19.8 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext exercism#2: cli/cli.go:199:23: cli.extractBinary calls io.Copy, which eventually calls tls.Conn.Read exercism#3: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which calls tls.Conn.Write exercism#4: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Dialer.DialContext Vulnerability exercism#4: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.19.8 Fixed in: net/http@go1.20.6 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do exercism#2: cmd/troubleshoot.go:206:32: cmd.apiPing.Call calls http.Client.Get Vulnerability exercism#5: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.19.8 Fixed in: runtime@go1.20.5 Example traces found: #1: debug/debug.go:80:12: debug.DumpResponse calls log.Fatal, which eventually calls runtime.Caller exercism#2: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Callers exercism#3: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.CallersFrames exercism#4: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Frames.Next exercism#5: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.GC exercism#6: workspace/exercise_metadata.go:66:24: workspace.ExerciseMetadata.Write calls json.Marshal, which eventually calls runtime.GOMAXPROCS exercism#7: config/config.go:57:18: config.Dir calls os.Getenv, which eventually calls runtime.GOROOT exercism#8: cli/cli.go:202:29: cli.extractBinary calls os.File.Seek, which eventually calls runtime.KeepAlive exercism#9: cli/cli.go:135:2: cli.CLI.Upgrade calls os.File.Close, which eventually calls runtime.SetFinalizer exercism#10: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which eventually calls runtime.Stack exercism#11: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.TypeAssertionError.Error exercism#12: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.defaultMemProfileRate exercism#13: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.efaceOf exercism#14: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.findfunc exercism#15: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.float64frombits exercism#16: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.forcegchelper exercism#17: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta exercism#18: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.plainError.Error exercism#19: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.throw Vulnerability exercism#6: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#7: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#8: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute ```
Hello. Thanks for opening a PR on Exercism. We are currently in a phase of our journey where we have paused community contributions to allow us to take a breather and redesign our community model. You can learn more in this blog post. As such, all issues and PRs in this repository are being automatically closed. That doesn't mean we're not interested in your ideas, or that if you're stuck on something we don't want to help. The best place to discuss things is with our community on the Exercism Community Forum. You can use this link to copy this into a new topic there. Note: If this PR has been pre-approved, please link back to this PR on the forum thread and a maintainer or staff member will reopen it. |
LGTM @ekingery Could you review the code? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks nice and clean to me! Thanks so much for taking this on, @nywilken. I haven't done an upgrade of this magnitude in the recent past, so I can't offer any specific Go expertise in this area. However the tests are all passing on the updated versions so let's
@ErikSchierboom I'm not sure how to remove the old checks from 1.15 that still seem to be required on this PR... The new 1.20 and 1.21 checks are all passing. Maybe you can just force merge it? |
What's Changed?
This change bumps the minimum Go version to 1.20 to take advantage of a number of fixes to the language, while supporting the minimum version for a number of key dependencies which have been moving away from Go 1.15.
This change officially removes Go 1.15 from the testing matrix and adds the Go versions used for supporting the Exercism CLI and exercises. Namely Go 1.20.x, and 1.21.x.
Additional Changes
These changes support the Go version bump:
and adds the Go versions used for supporting the Exercism CLI.
Critical Dependency Changes:
Closes: #1087
Closes: #1086
Closes: #1085