Skip to content

Commit e73f5cd

Browse files
cheungarykcheungaryk
authored
chore: update vulnerable go dependencies (#938)
* upgrade * upgrade * revert gems * revert * upgrade to the latest vers * revert * revert * partial upgrade * revert partial upgrade * archiver (depr) -> archive/zip * ignore DS_Store * remove unused ref * revert unneeded upgrades * run go mod tidy * make code more robust * upgrade testify and sprig * more upgrades * more upgrades * more upgrades * upgrade pterm * revert * test upgrading certain modules only * expr upgrade * upgrade copy * upgrade godirwalk * downgrade godirwalk, upgrade others * change expr * revert yaml * fix pterm and godirwalk vers * downgrade godirwalk * upgrade back godirwalk * go mod tidy * remove godirwalk entirely and use filepath instead * minor upgrades * check os.MkdirAll * no redeclaring err * mkdirall -> mkdir * ran goimport * simplify syntax * redeclare error to satisfy linting req * fix err shadowing * path traversal * remove path traversal * try mholt archives * remove unused zip dep * remove linkErr shadowing * run goimport * rename unused context as _ * revert to archive again * file traversal error remove * limit decompression size * increase copy size * revert filepath join * change filepath, revert io copy * add limit reader * change to 10 GB size limit * change to CopyN * revert back to Copy * go mod tidy
1 parent c58806e commit e73f5cd

File tree

10 files changed

+193
-254
lines changed

10 files changed

+193
-254
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ fixtures/formats/Sphinx/_build/
2323

2424
.release-env
2525

26+
.DS_Store
27+
2628
# Files
2729
*.o
2830
*.a

cmd/vale/api.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import (
77
"os"
88
"path/filepath"
99

10-
"github.com/mholt/archiver/v3"
1110
"github.com/spf13/pflag"
1211

1312
"github.com/errata-ai/vale/v3/internal/core"
@@ -81,7 +80,7 @@ func fetch(src, dst string) error {
8180
}
8281

8382
resp.Body.Close()
84-
return archiver.Unarchive(tmpfile.Name(), dst)
83+
return unarchive(tmpfile.Name(), dst)
8584
}
8685

8786
func install(args []string, flags *core.CLIFlags) error {

cmd/vale/sync.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ import (
66
"path/filepath"
77
"strings"
88

9-
"github.com/mholt/archiver/v3"
109
cp "github.com/otiai10/copy"
1110

1211
"github.com/errata-ai/vale/v3/internal/core"
@@ -62,7 +61,7 @@ func loadLocalZipPkg(name, pkgPath, styles string, index int) error {
6261
return err
6362
}
6463

65-
if err = archiver.Unarchive(pkgPath, dir); err != nil {
64+
if err = unarchive(pkgPath, dir); err != nil {
6665
return err
6766
}
6867

cmd/vale/util.go

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package main
22

33
import (
4+
"archive/zip"
45
"encoding/json"
56
"fmt"
67
"io"
@@ -93,3 +94,49 @@ func mkdir(dir string) error {
9394
func toCodeStyle(s string) string {
9495
return pterm.Fuzzy.Sprint(s)
9596
}
97+
98+
func unarchive(src, dest string) error {
99+
r, err := zip.OpenReader(src)
100+
if err != nil {
101+
return err
102+
}
103+
defer r.Close()
104+
105+
if err = mkdir(dest); err != nil {
106+
return err
107+
}
108+
109+
for _, file := range r.File {
110+
destPath := filepath.Join(dest, filepath.Clean(file.Name))
111+
if !strings.HasPrefix(destPath, filepath.Clean(dest)+string(os.PathSeparator)) {
112+
return fmt.Errorf("invalid file path: %s", file.Name)
113+
}
114+
115+
if file.FileInfo().IsDir() {
116+
if err = mkdir(destPath); err != nil {
117+
return err
118+
}
119+
continue
120+
}
121+
if err = mkdir(filepath.Dir(destPath)); err != nil {
122+
return err
123+
}
124+
125+
dstFile, dstErr := os.OpenFile(destPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
126+
if dstErr != nil {
127+
return dstErr
128+
}
129+
defer dstFile.Close()
130+
131+
srcFile, srcErr := file.Open()
132+
if srcErr != nil {
133+
return srcErr
134+
}
135+
defer srcFile.Close()
136+
137+
if _, err = io.Copy(dstFile, io.LimitReader(srcFile, 1024*1024*1024*10)); err != nil {
138+
return err
139+
}
140+
}
141+
return nil
142+
}

go.mod

Lines changed: 29 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -3,72 +3,58 @@ module github.com/errata-ai/vale/v3
33
go 1.23.2
44

55
require (
6-
github.com/Masterminds/sprig/v3 v3.2.3
7-
github.com/adrg/strutil v0.3.0
8-
github.com/adrg/xdg v0.4.0
9-
github.com/antonmedv/expr v1.12.0
10-
github.com/bmatcuk/doublestar/v4 v4.6.0
11-
github.com/d5/tengo/v2 v2.10.0
6+
github.com/Masterminds/sprig/v3 v3.3.0
7+
github.com/adrg/strutil v0.3.1
8+
github.com/adrg/xdg v0.5.3
9+
github.com/bmatcuk/doublestar/v4 v4.7.1
10+
github.com/d5/tengo/v2 v2.17.0
1211
github.com/errata-ai/ini v1.63.0
1312
github.com/errata-ai/regexp2 v1.7.0
13+
github.com/expr-lang/expr v1.16.9
1414
github.com/gobwas/glob v0.2.3
1515
github.com/jdkato/go-tree-sitter-julia v0.1.0
1616
github.com/jdkato/twine v0.10.1
17-
github.com/karrick/godirwalk v1.16.1
18-
github.com/mholt/archiver/v3 v3.5.1
19-
github.com/mitchellh/mapstructure v1.4.0
20-
github.com/niklasfasching/go-org v1.6.6
21-
github.com/olekukonko/tablewriter v0.0.4
22-
github.com/otiai10/copy v1.7.0
17+
github.com/mitchellh/mapstructure v1.5.0
18+
github.com/niklasfasching/go-org v1.7.0
19+
github.com/olekukonko/tablewriter v0.0.5
20+
github.com/otiai10/copy v1.14.0
2321
github.com/pelletier/go-toml/v2 v2.2.3
24-
github.com/pterm/pterm v0.12.76
22+
github.com/pterm/pterm v0.12.40
2523
github.com/remeh/sizedwaitgroup v1.0.0
26-
github.com/smacker/go-tree-sitter v0.0.0-20240514083259-c5d1f3f5f99e
24+
github.com/smacker/go-tree-sitter v0.0.0-20240827094217-dd81d9e9be82
2725
github.com/spf13/pflag v1.0.5
28-
github.com/stretchr/testify v1.9.0
26+
github.com/stretchr/testify v1.10.0
2927
github.com/tomwright/dasel/v2 v2.8.1
30-
github.com/yuin/goldmark v1.5.6
31-
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
28+
github.com/yuin/goldmark v1.7.8
29+
golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
3230
golang.org/x/net v0.34.0
3331
golang.org/x/sys v0.29.0
3432
gopkg.in/yaml.v2 v2.4.0
3533
)
3634

3735
require (
38-
atomicgo.dev/cursor v0.2.0 // indirect
39-
atomicgo.dev/keyboard v0.2.9 // indirect
40-
atomicgo.dev/schedule v0.1.0 // indirect
36+
dario.cat/mergo v1.0.1 // indirect
37+
github.com/MarvinJWendt/testza v0.4.2 // indirect
4138
github.com/Masterminds/goutils v1.1.1 // indirect
42-
github.com/Masterminds/semver/v3 v3.2.0 // indirect
43-
github.com/andybalholm/brotli v1.0.1 // indirect
44-
github.com/containerd/console v1.0.3 // indirect
39+
github.com/Masterminds/semver/v3 v3.3.1 // indirect
40+
github.com/atomicgo/cursor v0.0.1 // indirect
4541
github.com/davecgh/go-spew v1.1.1 // indirect
46-
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
47-
github.com/golang/snappy v0.0.4 // indirect
48-
github.com/google/uuid v1.1.1 // indirect
42+
github.com/google/uuid v1.6.0 // indirect
4943
github.com/gookit/color v1.5.4 // indirect
50-
github.com/huandu/xstrings v1.3.3 // indirect
51-
github.com/imdario/mergo v0.3.11 // indirect
52-
github.com/klauspost/compress v1.11.4 // indirect
53-
github.com/klauspost/pgzip v1.2.5 // indirect
54-
github.com/kr/pretty v0.3.0 // indirect
55-
github.com/lithammer/fuzzysearch v1.1.8 // indirect
56-
github.com/mattn/go-runewidth v0.0.15 // indirect
57-
github.com/mitchellh/copystructure v1.0.0 // indirect
58-
github.com/mitchellh/reflectwalk v1.0.0 // indirect
44+
github.com/huandu/xstrings v1.5.0 // indirect
45+
github.com/mattn/go-runewidth v0.0.16 // indirect
46+
github.com/mitchellh/copystructure v1.2.0 // indirect
47+
github.com/mitchellh/reflectwalk v1.0.2 // indirect
5948
github.com/montanaflynn/stats v0.7.1 // indirect
60-
github.com/nwaples/rardecode v1.1.0 // indirect
61-
github.com/pierrec/lz4/v4 v4.1.2 // indirect
6249
github.com/pmezard/go-difflib v1.0.0 // indirect
63-
github.com/rivo/uniseg v0.4.4 // indirect
64-
github.com/shopspring/decimal v1.2.0 // indirect
65-
github.com/spf13/cast v1.3.1 // indirect
66-
github.com/ulikunitz/xz v0.5.10 // indirect
67-
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
50+
github.com/rivo/uniseg v0.4.7 // indirect
51+
github.com/shopspring/decimal v1.4.0 // indirect
52+
github.com/spf13/cast v1.7.1 // indirect
6853
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
6954
golang.org/x/crypto v0.32.0 // indirect
55+
golang.org/x/sync v0.10.0 // indirect
7056
golang.org/x/term v0.28.0 // indirect
71-
golang.org/x/text v0.21.0 // indirect
57+
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
7258
gopkg.in/neurosnap/sentences.v1 v1.0.7 // indirect
7359
gopkg.in/yaml.v3 v3.0.1 // indirect
7460
)

0 commit comments

Comments
 (0)