-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): remove github.com/mholt/archiver/v3 dependency #1472
base: master
Are you sure you want to change the base?
Conversation
448508e
to
5e01666
Compare
/retest |
8fb906b
to
1acad4e
Compare
/retest |
1acad4e
to
15fce6b
Compare
/retest |
f9a1f8f
to
3088957
Compare
This PR and subsequent scanner dependency update in stackrox/stackrox should help with https://github.com/stackrox/stackrox/security/dependabot/270 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like code was removed related to handling symlinks, was that because in the various workflows that use WriteZip
we know symlinks are not being used?
(rest looks OK to me - holding approve for a successful diff-dump / test)
Yes,
I'm also waiting for |
3088957
to
277299c
Compare
c3d6356
to
52e16c6
Compare
52e16c6
to
9635317
Compare
@RTann: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
mholt/archiver#396 has yet to land so github.com/mholt/archiver/v3 is still affected by CVE-2024-0406. This repository is not affected by this vulnerability.
This PR removes the dependency to:
Implementation is completely based on https://github.com/mholt/archiver/blob/v3.5.1/zip.go#L140.
Note: I want to make sure the diff-dumps still give the same data, but that step is failing at the moment... In any case, it doesn't hurt to start the review process