Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Update multiple dependencies to newer releases #8895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 10 commits into from
Jan 7, 2025
Merged

Update multiple dependencies to newer releases #8895

openshift-merge-bot merged 10 commits into from
Jan 7, 2025

Conversation

@kwilczynski
Copy link
Contributor

@kwilczynski kwilczynski commented Jan 7, 2025
edited
Loading

What type of PR is this?

/kind dependency-change

What this PR does / why we need it:

Supersedes the following Pull Requests opened by the bot:

However, none of the packages from the Kubernetes ecosystem are updated at this time.

This update also takes care of some of the vulnerabilities that popular security scanners would detect per:

  • osv-scanner
╭─────────────────────────────────────┬──────┬───────────┬─────────────────────────────┬─────────┬────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                     │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼─────────────────────────────┼─────────┼────────┤
│ https://osv.dev/GHSA-r9px-m959-cxf4 │ 7.5  │ Go        │ github.com/go-git/go-git/v5 │ 5.12.0  │ go.mod │
│ https://osv.dev/GHSA-v725-9546-7q7m │ 9.8  │ Go        │ github.com/go-git/go-git/v5 │ 5.12.0  │ go.mod │
│ https://osv.dev/GO-2024-3321        │ 9.1  │ Go        │ golang.org/x/crypto         │ 0.29.0  │ go.mod │
│ https://osv.dev/GHSA-v778-237x-gjrc │      │           │                             │         │        │
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net            │ 0.30.0  │ go.mod │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                             │         │        │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────────────────┴─────────┴────────╯
  • govulncheck
Vulnerability #1: GO-2024-3333
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2024-3333
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Vulnerability #2: GO-2024-3321
    Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2024-3321
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Note that none of the above vulnerabilities directly affect CRI-O.

While at it, update a number of build and test time dependencies, too.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

None

@kwilczynski kwilczynski requested a review from mrunalp as a code owner January 7, 2025 05:46
@openshift-ci openshift-ci bot added release-note-none Denotes a PR that doesn't merit a release note. kind/dependency-change Categorizes issue or PR as related to changing dependencies dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jan 7, 2025
@openshift-ci openshift-ci bot requested review from QiWang19 and littlejawa January 7, 2025 05:46
@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/assign kwilczynski

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 7, 2025
This was referenced Jan 7, 2025
Closed
Closed
@codecov
Copy link

codecov bot commented Jan 7, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.10%. Comparing base (cbb9d83) to head (f5e6d6f).
Report is 11 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8895      +/-   ##
==========================================
+ Coverage   47.09%   47.10%   +0.01%     
==========================================
  Files         154      154              
  Lines       22138    22138              
==========================================
+ Hits        10425    10428       +3     
+ Misses      10644    10642       -2     
+ Partials     1069     1068       -1

@kwilczynski kwilczynski force-pushed the feature/update-multiple-dependencies branch from 3af23b5 to 644a3d2 Compare January 7, 2025 06:30
Update containernetworking/plugins Go package release to v1.6.2
6da7ef2 
The upstream project pulled the release v1.6.1, which was allegedly
incorectly released. The new version has been released in liu of the one
that has been pulled.

Signed-off-by: Krzysztof Wilczyński <[email protected]>
@kwilczynski kwilczynski force-pushed the feature/update-multiple-dependencies branch from 644a3d2 to 584e4a1 Compare January 7, 2025 06:32
Krzysztof Wilczyński added 6 commits January 7, 2025 15:34
Update bats release to v1.11.1
72f9542 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update buildah release to v1.38.0
0fe4097 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update golangci-lint release to v1.63.4
fbc3ce5 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update shfmt release to v3.10.0
a9aa607 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update gosec release to v2.21.4
3b94f59 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update release-notes release to v0.17.11
458137a 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
@kwilczynski kwilczynski force-pushed the feature/update-multiple-dependencies branch from 584e4a1 to 458137a Compare January 7, 2025 06:34
Krzysztof Wilczyński added 2 commits January 7, 2025 15:49
Update nix release to v2.24.11
78c45f8 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
Update nixpkgs to the latest HEAD commit
f5e6d6f 
Signed-off-by: Krzysztof Wilczyński <[email protected]>
@kwilczynski kwilczynski force-pushed the feature/update-multiple-dependencies branch from 495a5e2 to f5e6d6f Compare January 7, 2025 06:49
@kwilczynski kwilczynski mentioned this pull request Jan 7, 2025
Closed
@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/retest

2 similar comments
@sohankunkerkar
Copy link
Member

sohankunkerkar commented Jan 7, 2025

/retest

@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/retest

@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/retest

@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/cc @cri-o/cri-o-maintainers

@openshift-ci openshift-ci bot requested a review from a team January 7, 2025 21:29
@kwilczynski
Copy link
Contributor Author

kwilczynski commented Jan 7, 2025

/retest

sohankunkerkar
sohankunkerkar approved these changes Jan 7, 2025
View reviewed changes
Copy link
Member

@sohankunkerkar sohankunkerkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 7, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kwilczynski, sohankunkerkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [kwilczynski,sohankunkerkar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kwilczynski kwilczynski mentioned this pull request Jan 7, 2025
Closed
@openshift-merge-bot openshift-merge-bot bot merged commit a4fd64f into cri-o:main Jan 7, 2025
70 checks passed
@kwilczynski kwilczynski deleted the feature/update-multiple-dependencies branch January 7, 2025 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sohankunkerkar sohankunkerkar sohankunkerkar approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@littlejawa littlejawa Awaiting requested review from littlejawa

@QiWang19 QiWang19 Awaiting requested review from QiWang19

Assignees

@kwilczynski kwilczynski

@sohankunkerkar sohankunkerkar

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/dependency-change Categorizes issue or PR as related to changing dependencies lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kwilczynski @sohankunkerkar