-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Update indirect dependency to knative.dev/serving v0.37.5 #468
Conversation
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Thanks @spolti -- took quite a bit of finagling to get this update to work. Should get easier once we moved to Go 1.21, KServe 0.12 |
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ckadner, spolti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @spolti for several rounds of reviews! 🙏🏻 |
Motivation
Address https://github.com/kserve/modelmesh-serving/security/dependabot/11
Modifications
Override/replace indirect dependency to
knative.dev/serving v0.37.5
See https://github.com/knative/serving/tree/v0.37.5/pkg/autoscaler/metrics
Problems with using `knative.dev/serving v0.39.0`
The Mitigation steps for the Security Vulnerability report suggest updating to
knative.dev/serving v0.39.0
.However this forces an upgrade of several other direct/indirect dependencies causing incompatibilities:
k8s.io/api
andk8s.io/client-go
are upgraded tov0.27.+
, but this causes compilation errors:controller-runtime
v0.15.0
onward supportsHasSynced
:controller-runtime
v0.15.0
without breaking the KServe (0.11.2
) API integrationk8s.io/api
andk8s.io/client-go
belowv0.27.0
until AddEventHandler return type error kubernetes-sigs/controller-runtime#2302 is addressed.that downgrade however would re-introduce another vulnerability we previously mitigatedv0.12.0
along with Go 1.21 we should be able to upgrade tocontroller-runtime
to
v0.15.0
and things should get a bit less messy@spolti