Skip to content

build: Update Go version and dependencies #1704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

build: Update Go version and dependencies #1704

wants to merge 1 commit into from

Conversation

AliVerses
Copy link

@AliVerses AliVerses commented Apr 23, 2025
edited
Loading

Bumped the Go version to 1.24.2 in go.mod and updated several dependencies, including github.com/Masterminds/semver, github.com/spf13/cast, and golang.org/x/crypto, to their latest versions. These updates ensure compatibility and include the latest fixes and improvements.

What this PR does / why we need it: Updating deps to fix CVE CVE-2025-22869

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1701

Please check the following list:

  • Does the affected code have corresponding tests, e.g. unit test, E2E test?
  • Does this change require a documentation update?
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have an appropriate license header?

@AliVerses AliVerses mentioned this pull request Apr 23, 2025
Closed
@AliVerses
Update Go version and dependencies
65192ab 
Bumped the Go version to 1.24.2 in go.mod and updated several dependencies, including github.com/Masterminds/semver, github.com/spf13/cast, and golang.org/x/crypto, to their latest versions. These updates ensure compatibility and include the latest fixes and improvements.
Signed-off-by: Ali <alishah.ece2015@gmail.com>
@FeynmanZhou
Copy link
Member

Thanks @AliVerses for contributing to ORAS. @oras-project/oras-cli This link seems not available to me. Can you access this link? https://github.com/oras-project/oras/security/advisories/GHSA-6fh6-vfc8-q52m

@AliVerses
Copy link
Author

Thanks @AliVerses for contributing to ORAS. @oras-project/oras-cli This link seems not available to me. Can you access this link? https://github.com/oras-project/oras/security/advisories/GHSA-6fh6-vfc8-q52m

yes I can access the link.

@FeynmanZhou FeynmanZhou mentioned this pull request Apr 23, 2025
Merged
4 tasks
Wwwsylvia
Wwwsylvia approved these changes Apr 24, 2025
View reviewed changes
Copy link
Member

@Wwwsylvia Wwwsylvia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Wwwsylvia Wwwsylvia changed the title Update Go version and dependencies build: Update Go version and dependencies Apr 24, 2025
Wwwsylvia
Wwwsylvia requested changes Apr 24, 2025
View reviewed changes
Copy link
Member

@Wwwsylvia Wwwsylvia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update go mod in the e2e directory as well. See #1703

@Wwwsylvia
Copy link
Member

@AliVerses Thanks for the PR! I had another PR #1703 that handled go version update but missed the indirect dependency updates. I just updated the PR to include the missing parts. We might go ahead to merge #1703 since it covers more.

TerryHowe
TerryHowe requested changes Apr 24, 2025
View reviewed changes
Copy link
Member

@TerryHowe TerryHowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Close as done maybe

Broken at least

@Wwwsylvia Wwwsylvia closed this Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TerryHowe TerryHowe TerryHowe requested changes

@Wwwsylvia Wwwsylvia Wwwsylvia requested changes

@sajayantony sajayantony Awaiting requested review from sajayantony sajayantony is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@SteveLasker SteveLasker Awaiting requested review from SteveLasker SteveLasker is a code owner

@qweeah qweeah Awaiting requested review from qweeah qweeah is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PR to fix Security issues
4 participants
@AliVerses @FeynmanZhou @Wwwsylvia @TerryHowe