~Update shoenig dependency~ cherry-pick dependency updates into 4.83.0 rc#42345
~Update shoenig dependency~ cherry-pick dependency updates into 4.83.0 rc#42345jacobshandling merged 3 commits intorc-minor-fleet-v4.83.0from
Conversation
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review.
Tip: disable this comment in your organization's Code Review settings.
|
@claude review |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## rc-minor-fleet-v4.83.0 #42345 +/- ##
=========================================================
Coverage ? 66.40%
=========================================================
Files ? 2505
Lines ? 201114
Branches ? 8870
=========================================================
Hits ? 133559
Misses ? 55465
Partials ? 12090
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
LGTM — straightforward dependency bump to fix the SIGSEGV crash on Apple Silicon.
Extended reasoning...
Overview
This PR updates a single indirect dependency, github.com/shoenig/go-m1cpu, from v0.1.7 to v0.2.1. Only go.mod and go.sum are modified.
Security risks
None. This is an indirect, platform-specific CPU info library used on Apple M1/M2 hardware. The version bump is a minor patch addressing a startup crash, not a behavioral or API change that could introduce security exposure.
Level of scrutiny
Low. The change is purely mechanical — a version bump with updated checksums. The motivation is clearly documented: v0.1.7 causes a SIGSEGV in CGo initialization (_Cfunc_initialize()) at startup on Apple Silicon, crashing the fleet binary before it can serve any requests. Bumping to v0.2.1 is the appropriate fix.
Other factors
No fleet application code is changed. The go.sum hashes are consistent with a legitimate upstream bump. No CODEOWNERS apply to go.mod/go.sum dependency-only changes. No bugs were reported by the automated analysis.
|
@lucasmrod will do |
This reverts commit 52a1d6b.
Resolves #41863 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually Tests performed on the following OSs: - Windows (arm64) - macOS (Apple silicon) - Linux (arm64) - Linux (amd64) Features tested on the OSs above: - "My device". - Restart fleetd. - Kill fleet desktop, should re-start. - Killing stale osqueryd processes on orbit startup. - Checking if osquery is up and running, exit and start. - Checking if Fleet Desktop is already running before launching it. - orbit auto update - Gracefully shutting down Fleet Desktop before restarting it --- ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
There was a problem hiding this comment.
LGTM — straightforward dependency upgrade to fix the Apple M5 crash, matching the equivalent fix already merged to main.
Extended reasoning...
Overview
This PR upgrades github.com/shirou/gopsutil from v3 to v4 across 4 Go files (platform.go, platform_notwindows.go, platform_windows.go, open_linux.go, nvdvuln.go), removes the now-unnecessary github.com/shoenig/go-m1cpu indirect dependency (the source of the SIGSEGV crash in the PR description), and bumps a handful of transitive deps (power-devops/perfstat, tklauser/go-sysconf, tklauser/numcpus, golang.org/x/sys). A new indirect dep github.com/ebitengine/purego is introduced as gopsutil v4 uses pure-Go syscall bindings instead of CGo on Apple Silicon.
Security risks
No security-sensitive code paths are touched. The one non-mechanical code change — changing myUid from int32 to uint32 in open_linux.go — is required by the v4 API (Uids() now returns []uint32) and is the correct type for Unix UIDs. No auth, crypto, or permission logic is affected.
Level of scrutiny
Low. This is a targeted crash fix backport: the equivalent change was already merged to main as commit 1833508. The changes are mechanical import-path rewrites (/v3/ → /v4/) plus the single type correction, with no logic changes beyond what the new library API demands.
Other factors
No bugs were reported by the automated bug-hunting system. Codecov shows no coverage regression. The changelog entry is present. The PR author confirmed manual QA.
jacobshandling
changed the title
jacobshandling
merged commit c1dbdb7
into
rc-minor-fleet-v4.83.0
3 participants
Related issue:
I noticed the below build failure when building the rc on apple silicon. It doesn't happen on
main- opened this PR in case it's usefulEDIT: this PR now serves as a cherry-pick to the 4.83 rc for this commit - see #42345 (review)