Update github.com/spf13/cobra to v1.2.1

[antoineco]

Addresses CVE-2020-26160 related to github.com/dgrijalva/jwt-go.

Closes #13390

[antoineco]

I still see github.com/dgrijalva/jwt-go in the various go.sum files but I couldn't figure what is still using it.

[antoineco]

@ptabor would you be able to assist me for updating this occurrence?

etcd/pkg/go.mod

Line 9 in 33623c3

github.com/spf13/cobra v1.1.3

The entries about forbidden dependencies in this same file seem to be preventing me to do so.

[ptabor]

./script/update_dep.sh github.com/spf13/cobra v1.2.1

should solve the problem
(or just please bump cobra version in ./pkg/go.mod)

[antoineco]

Ahh there was a script for it, thanks for the pointer 😅

% (cd pkg && 'go' 'get' 'github.com/spf13/cobra@v1.2.1')
stderr: go get: github.com/spf13/cobra@v1.2.1 requires
stderr: github.com/spf13/viper@v1.8.1 requires
stderr: github.com/bketelsen/crypt@v0.0.4 requires
stderr: go.etcd.io/etcd/client/v2@v2.305.0 requires
stderr: go.etcd.io/etcd/api/v3@v3.5.0 (replaced by ./FORBIDDEN_DEPENDENCY): reading FORBIDDEN_DEPENDENCY/go.mod: open /git/etcd-io/etcd/pkg/FORBIDDEN_DEPENDENCY/go.mod: no such file or directory

Unfortunately, there seems to be a circular dependency back to etcd from bketelsen/crypt. It seems like it's been here forever, that's why I was wondering how previous updates occurred. I'll keep digging.

[antoineco]

I doesn't seem possible with the current chain of dependencies, so I'm just going to close this.
Thanks for the help anyway, appreciated 👍