Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Widespread dependencies update #226

Merged
merged 52 commits into from
Jan 31, 2025
Merged

Widespread dependencies update #226

merged 52 commits into from
Jan 31, 2025

Conversation

eldang
Copy link
Contributor

@eldang eldang commented Jan 29, 2025

I needed to update some dependencies to get this project through a client's automated security scans, so decided to do a broad round of updates while I was at it. I figure this might be useful to merge back to the original repository, though it may also be worth testing it more than I have done.

Testing I have done:

  • Building and running locally on my mac
  • Building the Alpine Docker image and running that on my mac
  • Having the client's CI build a slightly customised version of the Alpine Docker image in their infrastructure (Azure DevOps), which is now backing https://eldang.github.io/evs2scale/

eldang and others added 30 commits November 14, 2023 16:31
@eldang
Bump gopkg.in/yaml.v3 from 3.0.0-20200313102051-9f266ea9e77c to 3.0.1
e53e5b3 
Closes CrunchyData#189
@eldang
go tidy autoclean
6a11a13
@eldang
Fixed tests
fec0bab
@eldang
golang.org/x/image v0.0.0 -> v0.14.0
1302fd1
@eldang
golang/x/net 0.0.0 -> 0.18.0 ; golang/x/crypto 0.0.0 -> 0.15.0
2183221
@eldang
gogo/protobuf v1.2.1 -> v1.3.2
cd91cd3
@eldang
dgrijalva/jwt-go v3.2.0+incompatible => v3.2.1-0.20180308231308-06ea1…
cbc80dc 
…031745c+incompatible
@eldang
viper 1.7.1 => 1.17.0
96ec1f5
@eldang
client_golang v1.11.1 => v1.17.0
927d1c2
@eldang
gorilla/handlers 1.5.1 => 1.5.2
aa97b91
@eldang
gorilla/mux 1.8.0 => 1.8.1
e996985
@eldang
pgconn 1.7.2 => 1.14.1
9262d08
@eldang
pgtype 1.6.1 => 1.14.0
a65c41b
@eldang
pgx 4.12.1 => 4.18.1
9d347f6
@eldang
logrus 1.7.0 => 1.9.3
3acca20
@eldang
Updated minimum Go version
c93ad26
@eldang
Update Go version to 1.18
93bb19f
@eldang
Updated Go version to 1.18
c09f4ea
@eldang
exp v0.0.0-20230905200255-921286631fa9 => v0.0.0-20231110203233-9a3e6…
bf7a9c0 
…036ecaa
@eldang
no-op change to trigger a CI run
4d04235
@eldang
Revert "no-op change to trigger a CI run"
937d623 
This reverts commit 4d04235.
@eldang
Trying Go 1.21
ec23e15
@eldang
Updated go version in Dockerfile to what I've been testing with locally
b99cfc5
@eldang
Merge branch 'master' into dependency-updates
35c8812
@nein09
Expose error to user (this would have saved me soem time)
4628dce
@nein09
Clean up BasePath setting in preparation for more tests
be14b84
@nein09
Test show/hide preview functionality
c6f8dd9
@nein09
Simple health check endpoint and tests
47707c5
@nein09
Make response make more sense when viewed in a browser
77b9bdb
@nein09
Update readme and add a test to make sure i am not lying
0877037
eldang and others added 22 commits January 17, 2024 15:16
@eldang
Merge pull request #3 from eldang/health-endpoint
e8e0341 
Health endpoint
@eldang
Merge pull request #4 from CrunchyData/master
1603e06 
Update from origin repo
@eldang
Merge branch 'master' into dependency-updates
6d07d2f
@eldang
Routine dependency updates
c3fd86a
@eldang
revert antlr version
ae8dda0
@eldang
Merge pull request #5 from eldang/dependency-updates
2b63737 
Dependency updates
@eldang
Merge branch 'master' into sync-from-upstream
a4ed648
@eldang
added missing go.sum entry
ef31861
@eldang
Merge pull request #7 from eldang/sync-from-upstream
179783a 
Sync from upstream
@eldang
routine dependency updates
618c129
@eldang
go mod tidy
febadaf
@eldang
Revert "go mod tidy"
93a6145 
This reverts commit febadaf.
@eldang
Revert "routine dependency updates"
7e92152 
This reverts commit 618c129.
@eldang
Merge branch 'master' into dependency-updates
1681c8b
@eldang
routine dependency updates
1e42502
@eldang
add missing source
4c5ab21
@eldang
go mod tidy
e53bfd8
@eldang
Explicitly clean all old golang.org/x/crypto versions out
3cbb0f6
@eldang
Use newer Alpine image
3dfaac5
@eldang
Merge pull request #8 from eldang/dependency-updates
3c86ebb 
Dependency updates
@eldang
Update that I forgot
5de3019
@eldang
Merge pull request #9 from eldang/dependency-updates
be48f6b 
One more dependency update
eldang
eldang commented Jan 29, 2025
View reviewed changes
go.mod
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

replace golang.org/x/crypto => golang.org/x/crypto v0.32.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the specific dependency that was originally triggering static code analysis alerts because of https://nvd.nist.gov/vuln/detail/CVE-2024-45337 . I had to add the explicit replace because the static code analysis tool would alert on any mention of an affected version in go.sum. It may make sense to remove it for general purposes; I think the analysis tool raising alerts on those is bad behaviour.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the replace you mean?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. I don't know if it does any harm, but I just figure you probably don't want a random assortment of these starting to accumulate because of one very specific use case that I already have a fork for.

@pramsey pramsey merged commit 2730910 into CrunchyData:master Jan 31, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pramsey pramsey pramsey left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eldang @pramsey @nein09