Upgrade golang.org/x/net from 0.23.0 to 0.33.0
#5940
Conversation
chrisd8088
changed the title
golang.org/x/net from 0.23.0 to 0.33.0
chrisd8088
left a comment
chrisd8088
left a comment
There was a problem hiding this comment.
Thanks for the contribution! I've taken the liberty of fleshing out the PR description and slightly revising the title, and once our CI suite passes, we can merge this.
| golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
| golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
| golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
| golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= |
There was a problem hiding this comment.
Why not removing golang.org/x/net v0.0.0? Or it's not affected by the security issue?
There was a problem hiding this comment.
That's an interesting question. The entries in the go.sum module are not actually the dependencies of the project. You can see those with go list -m all, and if we filter for x/net, we only get the module we expect:
$ go list -m golang.org/x/net
golang.org/x/net v0.33.0
There's some explanation in the Go wiki as to why the go.sum contains information for older module versions, and more information in the documentation of the go.sum file:
A module may have a text file named
go.sumin its root directory, alongside itsgo.modfile. Thego.sumfile contains cryptographic hashes of the module’s direct and indirect dependenciesThe
go.sumfile may contain hashes for multiple versions of a module. Thegocommand may need to loadgo.modfiles from multiple versions of a dependency in order to perform minimal version selection.
So in this particular case, the various v0.0.0 entries are used in that Minimal Version Selection process, but in the end, only the v0.33.0 version of x/net will be selected.
Now we could remove the v0.23.0 entries for x/net from go.sum, as go mod tidy indicates they aren't used in the MVS process at all anymore. We usually run go mod tidy when we update dependencies, so we'll get around to this eventually, but it's not urgent and their presence in go.sum is not a cause for concern.
There was a problem hiding this comment.
Thanks for this great explaination 🙏
3 participants
As noted in #5939 (comment), the vulnerability addressed by this update to the
x/netGo module, reported as CVE-2024-45338, only pertains to thex/net/htmlpackage and the Git LFS client doesn't parse any HTML, so there is no immediate need to release a new version of Git LFS.While we do import some packages from the
x/netmodule, both directly and indirectly, none of them are thex/net/htmlpackage. We can confirm this is the case by runninggo list -json all | grep x/net/html, which returns no output.Nevertheless, we might as well upgrade the module, so that when we do release v3.7.0 of the Git LFS client, security scanners will not generate false positive reports.
For reference, the details of the vulnerability are described in golang/go#70906, the GO-2024-3333 report, and in the release announcement for version 0.33.0 of the
x/netmodule.Resolves #5939.