backport 3.5: etcd-io#13571 Update Cobra version to 1.2.1 to fix CVE-…

…2020-26160 Signed-off-by: Kay Yan <kay.yan@daocloud.io>
yankay · Mar 14, 2022 · 34e09c9 · 34e09c9
1 parent 39baf36
commit 34e09c9
Show file tree

Hide file tree

Showing 12 changed files with 1,579 additions and 343 deletions.
diff --git a/etcdctl/go.mod b/etcdctl/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/bgentry/speakeasy v0.1.0
 	github.com/dustin/go-humanize v1.0.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/urfave/cli v1.22.4
 	go.etcd.io/etcd/api/v3 v3.5.2

diff --git a/etcdctl/go.sum b/etcdctl/go.sum
diff --git a/etcdutl/go.mod b/etcdutl/go.mod
@@ -23,7 +23,7 @@ replace (
 require (
 	github.com/dustin/go-humanize v1.0.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	go.etcd.io/bbolt v1.3.6
 	go.etcd.io/etcd/api/v3 v3.5.2
 	go.etcd.io/etcd/client/pkg/v3 v3.5.2

diff --git a/etcdutl/go.sum b/etcdutl/go.sum
diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ replace (
 require (
 	github.com/bgentry/speakeasy v0.1.0
 	github.com/dustin/go-humanize v1.0.0
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	go.etcd.io/bbolt v1.3.6
 	go.etcd.io/etcd/api/v3 v3.5.2
 	go.etcd.io/etcd/client/pkg/v3 v3.5.2

diff --git a/go.sum b/go.sum
diff --git a/pkg/go.mod b/pkg/go.mod
@@ -5,8 +5,7 @@ go 1.16
 require (
 	github.com/creack/pty v1.1.11
 	github.com/dustin/go-humanize v1.0.0
-	github.com/golang/protobuf v1.5.1 // indirect
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	go.etcd.io/etcd/client/pkg/v3 v3.5.2
@@ -15,9 +14,14 @@ require (
 )
 
 replace (
-	go.etcd.io/etcd => ./FORBIDDEN_DEPENDENCY
-	go.etcd.io/etcd/api/v3 => ./FORBIDDEN_DEPENDENCY
+	go.etcd.io/etcd/api/v3 => ../api
 	go.etcd.io/etcd/client/pkg/v3 => ../client/pkg
-	go.etcd.io/etcd/tests/v3 => ./FORBIDDEN_DEPENDENCY
+)
+
+// Bad imports are sometimes causing attempts to pull that code.
+// This makes the error more explicit.
+replace (
+	go.etcd.io/etcd => ./FORBIDDEN_DEPENDENCY
 	go.etcd.io/etcd/v3 => ./FORBIDDEN_DEPENDENCY
+	go.etcd.io/tests/v3 => ./FORBIDDEN_DEPENDENCY
 )
diff --git a/pkg/go.sum b/pkg/go.sum
diff --git a/server/go.mod b/server/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/golang/protobuf v1.5.2
 	github.com/google/btree v1.0.1
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
@@ -20,7 +21,7 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/sirupsen/logrus v1.7.0 // indirect
 	github.com/soheilhy/cmux v0.1.5
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2

diff --git a/server/go.sum b/server/go.sum
diff --git a/tests/go.mod b/tests/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
 	github.com/prometheus/client_golang v1.11.0
 	github.com/soheilhy/cmux v0.1.5
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	go.etcd.io/bbolt v1.3.6

diff --git a/tests/go.sum b/tests/go.sum