Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.1 backport] vendor: google.golang.org/protobuf 1.33.0 #4361

Conversation

dependabot bot added 8 commits July 29, 2024 22:34
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 82bc042)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 450dd3e)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 6b41f8e)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a7046b8)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 8f0d0c4)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a57d94d)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 43306be)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 7ab66b1)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@austinvazquez austinvazquez marked this pull request as ready for review July 29, 2024 23:03
@rata
Copy link
Member

rata commented Jul 30, 2024

false positive warnings for package < 1.33.0

What were the warnings? How do you trigger them?

@austinvazquez
Copy link
Contributor Author

@rata, I see the warning when running govulncheck; however, this is a false positive as runc does not use/vendor the affected packages.

[runc]$ govulncheck -mode=binary runc
=== Symbol Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.27.1
    Fixed in: google.golang.org/protobuf@v1.33.0
    Vulnerable symbols found:
      #1: json.Decoder.Peek
      #2: json.Decoder.Read
      #3: protojson.Unmarshal
      #4: protojson.UnmarshalOptions.Unmarshal

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
[runc]$ 

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@austinvazquez oh, govulncheck, thanks!

I've verified locally that make vendor passes fine, just in case.

LGTM.

@kolyshkin kolyshkin added this to the 1.1.14 milestone Aug 1, 2024
@kolyshkin kolyshkin merged commit 931f463 into opencontainers:release-1.1 Aug 1, 2024
28 checks passed
@austinvazquez austinvazquez deleted the backport-protobuf-updates-to-1.1 branch August 2, 2024 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants