Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update golang.org/x/text #275

Merged
merged 1 commit into from
Jan 10, 2022
Merged

update golang.org/x/text #275

merged 1 commit into from
Jan 10, 2022

Conversation

jhump
Copy link
Contributor

@jhump jhump commented Jan 10, 2022

Resolves #274.

Sadly, go mod why golang.org/x/text just reports this:

# golang.org/x/text
(main module does not need package golang.org/x/text)

It would be nice to know via what path of indirect deps this module is entering the dependency graph. That way we could update the appropriate direct dependency (or dependencies).

@jhump jhump merged commit b3f5760 into master Jan 10, 2022
@jhump jhump deleted the jh/update-x-text branch January 10, 2022 20:18
@jeffwidman
Copy link
Contributor

go mod graph can be helpful in these situations:

go mod graph | grep golang.org/x/text@v0.3.2                                                                           NL-9389-bump-golang-text-lib-past-CVE
cloud.google.com/go@v0.56.0 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.3 golang.org/x/text@v0.3.2
golang.org/x/text@v0.3.2 golang.org/x/tools@v0.0.0-20180917221912-90fa682c2a6e
google.golang.org/api@v0.20.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.52.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.15.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.17.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.53.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.18.0 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.2 golang.org/x/text@v0.3.2
google.golang.org/appengine@v1.6.5 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.50.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.44.2 golang.org/x/text@v0.3.2
google.golang.org/api@v0.8.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.44.1 golang.org/x/text@v0.3.2
google.golang.org/api@v0.7.0 golang.org/x/text@v0.3.2
google.golang.org/appengine@v1.6.1 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.45.1 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.9.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.46.3 golang.org/x/text@v0.3.2
google.golang.org/api@v0.14.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.13.0 golang.org/x/text@v0.3.2

Points to: https://github.com/googleapis/google-cloud-go/blob/v0.56.0/go.mod#L23

There may be others as well, but that's an obvious one.

Looks like the latest version of cloud.google.com/go completely dropped that dep: https://github.com/googleapis/google-cloud-go/blob/v0.100.2/go.mod

@jeffwidman
Copy link
Contributor

jeffwidman commented Feb 3, 2022
edited
Loading

@jhump any chance of cutting a new release with this?

Trying to switch my makefile from go get to go install but in that case my local pin override won't take effect, it simply installs what is specified here in grpcurl... so a tagged release with this fixed would be more convenient than having to pin to a specific commit.

@jeffwidman jeffwidman mentioned this pull request Feb 6, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v1.8.5 includes version of golang.org/x/text which flags our CVE scanner
2 participants
@jhump @jeffwidman