Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump up github.com/ipld/go-codec-dagpb from v1.3.0 to v1.3.2 #736

Merged
merged 1 commit into from Apr 13, 2022
Merged

Bump up github.com/ipld/go-codec-dagpb from v1.3.0 to v1.3.2 #736

merged 1 commit into from Apr 13, 2022

Conversation

ktock
Copy link
Member

@ktock ktock commented Apr 13, 2022

Addresses GHSA-g3vv-g2j5-45f2
This also solves recent dependabot error that fails to automatically upgread this package.
Similar patch will be needed for nerdctl as well.

@ktock ktock requested a review from AkihiroSuda April 13, 2022 07:55
AkihiroSuda
AkihiroSuda reviewed Apr 13, 2022
View reviewed changes
cmd/go.mod Outdated

// Ensure v1.3.1+ is used to address https://github.com/advisories/GHSA-g3vv-g2j5-45f2
// TODO: remove this replace dirctive once all dependencies are updated to point to v1.3.1+
github.com/ipld/go-codec-dagpb => github.com/ipld/go-codec-dagpb v1.3.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't you just pin this version as an // indirect dependency in the require() section?
Maybe with go 1.17 format.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github.com/ipld/go-codec-dagpb v1.3.2 is added to go.sum but it still contains github.com/ipld/go-codec-dagpb v1.3.0 entry (using go 1.17 didn't help).
I'm not sure this solves the dependabot alert.
Can we merge this and check if the dependabot alert is solved? If not solved, we'll need to use replace.

@ktock
Bump up github.com/ipld/go-codec-dagpb from v1.3.0 to v1.3.2
499bd67 
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
@ktock ktock force-pushed the bump-github.com/ipld/go-codec-dagpb branch from 0c4f05a to 499bd67 Compare April 13, 2022 08:44
@ktock ktock merged commit 43d576b into containerd:main Apr 13, 2022
@ktock ktock deleted the bump-github.com/ipld/go-codec-dagpb branch April 13, 2022 10:41
@ktock
Copy link
Member Author

ktock commented Apr 13, 2022

It seems that the dependabot alert has been solved. I'll prepare for release v0.11.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ktock @AkihiroSuda