-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go.mod: upgrade dependencies and rid vulnerable thrift version@v0.12.0 #417
Conversation
/cc @mikehelmick, once this PR is hopefully merged and a new release is cut, I'll then update our dependencies and that should remove that transitive dependency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Build is failing. Looks like it's due to a backwards incompatible change in the gitlab client
Coming here, after digging through google/exposure-notifications-server#749 in which the version of github.com/apache/thrift was reported by @whaber as having known critical vulnerabilities. Transitively however, this version was pinning to cloud.google.com/go@v0.37.4 indirectly, which then imported versions of opencensus: * go.opencensus.io@v0.19. * go.opencensus.io@v0.20.1 that imported github.com/apache/thrift@v0.12.0 The target package to upgrade was github.com/denisenkom/go-mssqldb v0.0.0-20200620013148-b91950f658ec which now uses cloud.google.com/go@v0.61.0
Thanks @dhui for the initial review! I've made a conservative update to only github.com/denisenkom/go-mssqldb@v0.0.0-20200620013148-b91950f658ec which then doesn't touch the Gitlab client. Let's see if that works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix!
Thank you for the merge! Please help cut a release that’ll then be used by
various go.mod dependent projects. Thank you.
…On Sun, Jul 26, 2020 at 11:18 PM Dale Hui ***@***.***> wrote:
Merged #417 <#417> into
master.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#417 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABFL3V4PZXUATM4A3VMN3QDR5UL4PANCNFSM4PHX3AVA>
.
|
Done: v4.12.0 |
Coming here, after digging through
google/exposure-notifications-server#749
in which the version of github.com/apache/thrift was reported by
@whaber as having known critical vulnerabilities.
Transitively however, this version was pinning to
cloud.google.com/go@v0.37.4 indirectly, which then imported
versions of opencensus:
that imported
github.com/apache/thrift@v0.12.0