Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update github.com/spf13/cobra to v1.2.1 #13396

Closed
wants to merge 1 commit into from
Closed

Update github.com/spf13/cobra to v1.2.1 #13396

wants to merge 1 commit into from

Conversation

antoineco
Copy link

Addresses CVE-2020-26160 related to github.com/dgrijalva/jwt-go.

Closes #13390

@antoineco
Copy link
Author

I still see github.com/dgrijalva/jwt-go in the various go.sum files but I couldn't figure what is still using it.

@antoineco
Copy link
Author

antoineco commented Oct 7, 2021

@ptabor would you be able to assist me for updating this occurrence?

github.com/spf13/cobra v1.1.3

The entries about forbidden dependencies in this same file seem to be preventing me to do so.

@ptabor
Copy link
Contributor

ptabor commented Oct 7, 2021

./script/update_dep.sh github.com/spf13/cobra v1.2.1

should solve the problem
(or just please bump cobra version in ./pkg/go.mod)

@antoineco
Copy link
Author

Ahh there was a script for it, thanks for the pointer 😅

% (cd pkg && 'go' 'get' 'github.com/spf13/cobra@v1.2.1')
stderr: go get: github.com/spf13/cobra@v1.2.1 requires
stderr: github.com/spf13/viper@v1.8.1 requires
stderr: github.com/bketelsen/crypt@v0.0.4 requires
stderr: go.etcd.io/etcd/client/v2@v2.305.0 requires
stderr: go.etcd.io/etcd/api/v3@v3.5.0 (replaced by ./FORBIDDEN_DEPENDENCY): reading FORBIDDEN_DEPENDENCY/go.mod: open /git/etcd-io/etcd/pkg/FORBIDDEN_DEPENDENCY/go.mod: no such file or directory

Unfortunately, there seems to be a circular dependency back to etcd from bketelsen/crypt. It seems like it's been here forever, that's why I was wondering how previous updates occurred. I'll keep digging.

@antoineco antoineco closed this Oct 7, 2021
@antoineco antoineco deleted the issue-13390 branch October 7, 2021 18:39
@antoineco
Copy link
Author

I doesn't seem possible with the current chain of dependencies, so I'm just going to close this.
Thanks for the help anyway, appreciated 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Cobra upgrade: transitive dependency vulnerability
2 participants