Thrift version update and unification #2320
Comments
|
For context there has been some effort put into this outside of the Temporal team. Happy to continue pushing along my patches if they are still interested. The update is not trivial and includes breaking changes.
Happy to change my patches to support whatever version the Temporal team would like to use. Likely, v0.13.0 is the most compatible with other Go dependencies, which is useful for mono-repos. But, updating to v0.14.0+ fixes a potential DOS CVE-2020-13949. This CVE does not seem too dangerous but will leave judgement calls up to the team. I will also be testing these patches on a three-node cluster in the next week or so. |
|
cc @mcbryde |
|
I added a branch to update to v0.15.0, the latest. I will open the PR for review once I have tested the ringpop-go changes, and then tested Temporal in a production environment with it. |
|
PR is opened temporalio/tchannel-go#2 |
|
This should be done now with #3250 |
Is your feature request related to a problem? Please describe.
Hi
I have a question which came out from the security scan we did recently. Is there a reason on why thrift (github.com/apache/[email protected]) is pinned? It does look like this one is from version 0.10. There is another one used by the ringpop-go (actually 2) one from 0.9.3 and another one from the no longer maintained repo. Latest thrift is 0.15 and beyond 0.13 have some active CVEs. Could you please consider reviewing the thrift versions in those 2 packages?
Here is some dependency graph
Describe the solution you'd like
Minimum thrift library version of 0.13, better 0.15
Describe alternatives you've considered
None available
The text was updated successfully, but these errors were encountered: