-
-
Notifications
You must be signed in to change notification settings - Fork 499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump transitive dependencies #527
chore: bump transitive dependencies #527
Conversation
Codecov Report
@@ Coverage Diff @@
## main #527 +/- ##
==========================================
- Coverage 68.88% 68.85% -0.04%
==========================================
Files 22 22
Lines 2144 2148 +4
==========================================
+ Hits 1477 1479 +2
- Misses 528 530 +2
Partials 139 139
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
I feel this PR can be converted from draft to an actual PR |
* main: Add system requirements parent docs page for podman and colima (#562) Support for cap-add/cap-drop (#555) fix container NetworkMode usage (#560) chore: use hashed versions of test-summary action (#556) chore: use container.State() function in tests (#543) Log docker server info (#548) docs: add docs regarding Colima usage (#547) chore: add emoji to breaking changes in release drafter (#542) chore: add CONTRIBUTING file (#539) issue #537 Rename the wait/multi.go file to wait/all.go (#541) docs: add a basic layout for wait strategies in docs (#536) docs: improve consistency and fix typos (#534) chore: do not skip test (#528) chore: include test flakiness in the release drafter (#535) chore: retire old versions of Go (#530)
* main: (79 commits) chore: reduce concurrent builds (testcontainers#702) chore: add mysql example (testcontainers#700) chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 (testcontainers#699) chore(deps): bump google.golang.org/api in /examples/firestore (testcontainers#683) chore(deps): bump cloud.google.com/go/spanner in /examples/spanner (testcontainers#688) chore(deps): bump google.golang.org/api in /examples/pubsub (testcontainers#685) chore(deps): bump google.golang.org/api in /examples/spanner (testcontainers#684) chore(deps): bump google.golang.org/grpc in /examples/firestore (testcontainers#686) chore(deps): bump google.golang.org/api in /examples/bigtable (testcontainers#680) chore(deps): bump google.golang.org/api in /examples/datastore (testcontainers#678) chore(deps): bump golang.org/x/text from 0.3.7 to 0.5.0 (testcontainers#660) chore(deps): bump github.com/magiconair/properties from 1.8.6 to 1.8.7 (testcontainers#677) chore: postgres example (testcontainers#674) Add bigtable example (testcontainers#676) chore(deps): bump github.com/containerd/containerd from 1.6.10 to 1.6.12 (testcontainers#675) chore: run go mod tidy in examples (testcontainers#672) Improve datastore, firestore, pubsub and spanner tests (testcontainers#670) chore: group dependabot updates (testcontainers#668) chore: update mkdocs format to go-yaml v3 (testcontainers#667) chore: generate dependabot configs for examples (testcontainers#654) ...
I resolved conflicts and got this report:
I believe the gorm dependency issue will disappear with #650, as it's pushed back to the compose module. OTOH, I ran
which confirms that the gorm dependency was introduced by compose native support. Regarding apiserver, it is not required by the main module, and not sure how it gets into the dependencies, as it's not present at any file, including @kishaningithub because the number of issues has being removed from 23 (as shown in the original #326 issue) to 2 (1 after #650), I'd merge this PR as is, considering done. Wdyt? |
@mdelapenya Beautiful to see the vulnerabilities go from 23 to 2. Yes IMO this can be merged :-) |
* main: chore: bump transitive dependencies (#527)
* main: (44 commits) feat: support passing registry credentials to the reaper (testcontainers#647) fix: close response body in http strategy (testcontainers#718) chore: move e2e module to postgres example module (testcontainers#717) chore: bump containerd transitive dep in examples (testcontainers#715) chore(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.14 (testcontainers#703) chore(deps): bump github.com/compose-spec/compose-go in /modules/compose (testcontainers#710) chore: bump testcontainers-go to 0.17.0 in examples (testcontainers#714) chore(deps): bump github.com/docker/compose/v2 in /modules/compose (testcontainers#711) chore: support running MySQL compose in ARM (testcontainers#712) chore: simplify compose replace directives (testcontainers#713) chore: add compose module to dependabot (testcontainers#709) chore: move compose code to a separate module (testcontainers#650) docs: refine onboarding process with quickstart guide (testcontainers#706) chore: move redis-specific tests to the example module (testcontainers#701) chore: bump transitive dependencies (#527) chore: reduce concurrent builds (testcontainers#702) chore: add mysql example (testcontainers#700) chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 (testcontainers#699) chore(deps): bump google.golang.org/api in /examples/firestore (testcontainers#683) chore(deps): bump cloud.google.com/go/spanner in /examples/spanner (testcontainers#688) ...
What does this PR do?
It bumps the following deps to their latest released versions:
We have run the following command to detect the vulnerabilities:
go list -json -m all | docker run --rm -i sonatypecommunity/nancy:v1.0.39 sleuth --skip-update-check
It has resolved 2 out of 5 security issues, but not sure how to resolve those 3 packages, as getting the :
Finally, it's adding a Make goal to scan the dependencies with the above command:
make dependencies-scan
, which is available to any module via thecommons-test.mk
file.Why is it important?
This PR resolves 2 security issues, but there are still 3.
I've observed myself everything what @mwittig commented in #326 (comment), so I'd say that we are stuck on containerd's vulnerabilities.
Related issues
Follow-ups
As a follow-up, and once we are green in terms of dependencies, we could run it in the GH action and force a successful check in order to merge a PR.