[release/1.7]: api: update github.com/containerd/ttrpc v1.2.5 to align with containerd 1.7 module#10364
Conversation
|
This bumps them ahead of what is in main, I'm fine taking these updates though |
Oh! In the API module in main you mean? That's a good point, I didn't check that one; I checked against the containerd "main" module in the 1.7 branch. We should probably do the same in API 1.8.x. That one could keep a minimum version similar to the 1.7 branch (to prevent a user of 1.7 containerd with API 1.8 from being forced to update everything. |
|
|
Looks like CI is happy 🥳 |
|
@dmcgowan ptal; 🤗 |
|
I'm -1 for bumping indirect packages through the api module. The binary packages should be responsible for that. We should get the ttrpc bump in though since that is direct and relevant. |
|
The point is that we won't be able to get rid of the vulnerable |
If it is important to update, then we should update and tag through ttrpc since that is the direct dependency, not through the API module. I don't think that is a good reason to update indirects in a library package, the importing packages will still be able to choose their versions. |
thaJeztah
force-pushed
the
1.7_api_update_deps
branch
from
059243e to
5aaf1c1
Compare
thaJeztah
changed the title
|
I stacked this on top of #10373, so will temporarily move back to draft. The good news; go modules was dreaming up the dependency; cleaning up the go.mod after updating made it disappear. |
Update the dependency and the indirect golang.org/x/net version to align with containerd 1.7 itself, and to prevent a vulnerability being detected. This should not generally be an issue, as the API module is used by containerd 1.7 and up, which already depend on a more current version of these dependencies. full diff: containerd/ttrpc@v1.2.3...v1.2.5 Before this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability containerd#1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: containerd#1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error containerd#2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String containerd#3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String containerd#4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String containerd#5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String containerd#6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String containerd#7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error containerd#8: services/version/v1/version_grpc.pb.go:13:2: version.init calls status.init, which eventually calls http2.chunkWriter.Write containerd#9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error containerd#10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error containerd#11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error containerd#12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error containerd#13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error containerd#14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
1.7_api_update_deps
branch
from
5aaf1c1 to
2a6aa6d
Compare
|
Rebased after #10373 was merged; this should be ready for review 👍 |
4 participants
[release/1.7] api: update github.com/containerd/ttrpc v1.2.5
Update the dependency and the indirect golang.org/x/net version to align
with containerd 1.7 itself, and to prevent a vulnerability being detected.
This should not generally be an issue, as the API module is used by
containerd 1.7 and up, which already depend on a more current version of
these dependencies.
Before this:
After this: