Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Upgrade golang.org/x/net and golang.org/grpc #30

Merged
merged 2 commits into from
Nov 23, 2023
Merged

chore(deps): Upgrade golang.org/x/net and golang.org/grpc #30

merged 2 commits into from
Nov 23, 2023

Conversation

spolti
Copy link
Contributor

@spolti spolti commented Oct 31, 2023
edited
Loading

This was referenced Oct 31, 2023
Merged
Closed
@ckadner ckadner changed the title CVE-2023-4448 chore(deps): Upgrade golang.org/x/net and golang.org/grpc Nov 14, 2023
ckadner
ckadner requested changes Nov 14, 2023
View reviewed changes
Copy link
Member

@ckadner ckadner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delayed review and thanks for separating your PRs

go.mod Outdated
golang.org/x/sys v0.3.0 // indirect
golang.org/x/text v0.5.0 // indirect
google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 // indirect
golang.org/x/net v0.17.0 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of updating indirect dependencies, could you add those in a replace section with a comment explaining the reason for it.

e.g.: https://github.com/kserve/modelmesh-serving/blob/eb4bf296ff4667d064eb6d71362adf5427c8f3c3/go.mod#L129-L130

// Update Go Networking to avoid CVE-2023-44487 and CVE-2023-39325
replace golang.org/x/net => golang.org/x/net v0.17.0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a specific reason to use replace instead go get?

imho go get is better since it will also update go.sum entries and update related dependencies as well.
And, i guess, replace is more used for development purposes.

Copy link
Member

@ckadner ckadner Nov 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I suppose that there is some developer preference involved here, but in general, the idea is consistency and reproducibility from environment to environment (development, production, CI/CD, Docker builds). We really don't want to use go get ... unless we deliberately want to add new dependencies, or update individual dependencies, which will cause the go.mod and go.sum file to be updated.

https://stackoverflow.com/questions/66356034/what-is-the-difference-between-go-get-command-and-go-mod-download-command

When I set up a Go project, meaning, I fork a GitHub repo and clone it locally, I will then run go mod download to get the dependencies with the exact versions as specified, or go mod tidy -compat=1.18 (for a Go 1.18 project). The latter should not change the go.mod or go.sum file either, if the the two files have been kept in order.

I expect only the direct dependencies to be maintained. The list of // indirect dependencies should be "generated" by running go mod tidy (or go mod tidy -compat=1.18 -- for a Go 1.18 project) which will determine the versions of those indirect dependencies based on the versions required by the modules from the list of "direct" requirements.

Now, how should we "override" certain indirect dependencies in the go.mod file? I think we should not just change a version of a indirect dependency, i.e. by running go get ... which will change the list // indirect dependencies. This would make it difficult to determine in the future, which versions we decided to use, versus what versions were required indirectly.

To keep that distinction clear, Go offers the replace directive.

Ah, and go mod tidy ... will also update go.sum entries and update related dependencies ;-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, make sense, thanks.

go.mod Show resolved Hide resolved
ckadner
ckadner requested changes Nov 17, 2023
View reviewed changes
go.mod Show resolved Hide resolved
@spolti spolti mentioned this pull request Nov 17, 2023
Open
@spolti
Copy link
Contributor Author

spolti commented Nov 17, 2023

btw, just tested, the apimachinery change has addressed the goproxy issue.

@spolti spolti requested a review from ckadner November 21, 2023 17:07
@spolti
CVE-2023-4448
3b9beed 
chore(deps): Upgrade golang.org/x/net and golang.org/grpc

Signed-off-by: Spolti <fspolti@redhat.com>
@spolti
apply changes suggested on review
eb14be6 
Signed-off-by: Spolti <fspolti@redhat.com>
ckadner
ckadner approved these changes Nov 23, 2023
View reviewed changes
Copy link
Member

@ckadner ckadner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

ckadner
ckadner approved these changes Nov 23, 2023
View reviewed changes
Copy link
Member

@ckadner ckadner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. Thanks @spolti

/lgtm
/approve

@ckadner ckadner merged commit e2857ff into kserve:main Nov 23, 2023
5 checks passed
@spolti spolti deleted the CVE-2023-44487-rest-p branch November 23, 2023 13:00
@ckadner ckadner added this to the v0.11.2 milestone Nov 23, 2023
spolti referenced this pull request in spolti/rest-proxy Jan 10, 2024
@spolti
chore(deps): Upgrade golang.org/x/net and golang.org/grpc (opendatahu…
d72479b 
…b-io#30)

Issues addressed:
- https://github.com/kserve/rest-proxy/security/dependabot/1
- https://github.com/kserve/rest-proxy/security/dependabot/2
- https://github.com/kserve/rest-proxy/security/dependabot/3
- https://github.com/kserve/rest-proxy/security/dependabot/4
- https://github.com/kserve/rest-proxy/security/dependabot/5
- https://www.cve.org/CVERecord?id=CVE-2023-37788

---------

Signed-off-by: Spolti <fspolti@redhat.com>
spolti referenced this pull request in spolti/rest-proxy Jan 10, 2024
@spolti
chore(deps): Upgrade golang.org/x/net and golang.org/grpc (opendatahu…
11c52d0 
…b-io#30)

Issues addressed:
- https://github.com/kserve/rest-proxy/security/dependabot/1
- https://github.com/kserve/rest-proxy/security/dependabot/2
- https://github.com/kserve/rest-proxy/security/dependabot/3
- https://github.com/kserve/rest-proxy/security/dependabot/4
- https://github.com/kserve/rest-proxy/security/dependabot/5
- https://www.cve.org/CVERecord?id=CVE-2023-37788

---------

Signed-off-by: Spolti <fspolti@redhat.com>
spolti referenced this pull request in spolti/rest-proxy Jan 11, 2024
@spolti
chore(deps): Upgrade golang.org/x/net and golang.org/grpc (opendatahu…
ee9d72e 
…b-io#30)

Issues addressed:
- https://github.com/kserve/rest-proxy/security/dependabot/1
- https://github.com/kserve/rest-proxy/security/dependabot/2
- https://github.com/kserve/rest-proxy/security/dependabot/3
- https://github.com/kserve/rest-proxy/security/dependabot/4
- https://github.com/kserve/rest-proxy/security/dependabot/5
- https://www.cve.org/CVERecord?id=CVE-2023-37788

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckadner ckadner ckadner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.11.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@spolti @ckadner