Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: upgrade dependencies and rid vulnerable thrift version@v0.12.0 #417

Merged
merged 1 commit into from
Jul 27, 2020
Merged

go.mod: upgrade dependencies and rid vulnerable thrift version@v0.12.0 #417

merged 1 commit into from
Jul 27, 2020

Conversation

odeke-em
Copy link
Contributor

Coming here, after digging through
google/exposure-notifications-server#749
in which the version of github.com/apache/thrift was reported by
@whaber as having known critical vulnerabilities.

Transitively however, this version was pinning to
cloud.google.com/go@v0.37.4 indirectly, which then imported
versions of opencensus:

  • go.opencensus.io@v0.19.
  • go.opencensus.io@v0.20.1
    that imported
    github.com/apache/thrift@v0.12.0

@odeke-em
Copy link
Contributor Author

/cc @mikehelmick, once this PR is hopefully merged and a new release is cut, I'll then update our dependencies and that should remove that transitive dependency.

dhui
dhui requested changes Jul 26, 2020
View reviewed changes
Copy link
Member

@dhui dhui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build is failing. Looks like it's due to a backwards incompatible change in the gitlab client

@odeke-em
go.mod: upgrade dependencies and rid vulnerable thrift version@v0.12.0
a258a44 
Coming here, after digging through
google/exposure-notifications-server#749
in which the version of github.com/apache/thrift was reported by
@whaber as having known critical vulnerabilities.

Transitively however, this version was pinning to
cloud.google.com/go@v0.37.4 indirectly, which then imported
versions of opencensus:
* go.opencensus.io@v0.19.
* go.opencensus.io@v0.20.1
that imported
    github.com/apache/thrift@v0.12.0

The target package to upgrade was
    github.com/denisenkom/go-mssqldb v0.0.0-20200620013148-b91950f658ec
which now uses
    cloud.google.com/go@v0.61.0
@odeke-em
Copy link
Contributor Author

Thanks @dhui for the initial review! I've made a conservative update to only github.com/denisenkom/go-mssqldb@v0.0.0-20200620013148-b91950f658ec which then doesn't touch the Gitlab client. Let's see if that works.

@coveralls
Copy link

coveralls commented Jul 26, 2020
edited
Loading

Pull Request Test Coverage Report for Build 814

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 53.29%
Totals Coverage Status
Change from base Build 811: 0.0%
Covered Lines: 2640
Relevant Lines: 4954
💛 - Coveralls

dhui
dhui approved these changes Jul 27, 2020
View reviewed changes
Copy link
Member

@dhui dhui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@dhui dhui merged commit 07052cd into golang-migrate:master Jul 27, 2020
@odeke-em
Copy link
Contributor Author

odeke-em commented Jul 27, 2020 via email

@dhui
Copy link
Member

dhui commented Jul 27, 2020

Done: v4.12.0

@renovate renovate bot mentioned this pull request May 28, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhui dhui dhui approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@odeke-em @coveralls @dhui