Skip to content

chore: update vulnerable go dependencies #938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 61 commits into from
Jan 14, 2025
Merged

chore: update vulnerable go dependencies #938

merged 61 commits into from
Jan 14, 2025

Conversation

cheungaryk
Copy link
Contributor

@cheungaryk cheungaryk commented Dec 17, 2024
edited
Loading

Hello, this is related to #936, Richard (that PR's submitter) and I work for the same organization.

We are trying to get vale to be approved for use in our organization. The security review found multiple vulnerabilities that need to be patched before approved. So I created this PR and also #937 .

This PR patched the vulns related to go. Most of them are pretty straight forward patch/minor upgrades, here are the more notable ones:

  • antonmedv/expr -> expr-lang/expr. The author renamed it, it's the same library
  • mholt/archiver/v3 -> archive/zip (go native). Per mholt the author, archiver is deprecated and he has moved the work to a newer library named archives, but in this PR I am using archive/zip instead for simplicity (and also archives doesn't pass our security scan 😓 ). Comes with slight code refactoring. Note that in order to resolve the "decompression bomb" lint warning, I imposed a 10GB file size limit. Please let me know if the file size is too large (or too small)
  • pterm -> downgrade from 0.12.76 to 0.12.40. The dependencies are different in both versions, but our security scan rejects the indirects above 0.12.40
  • godirwalk -> path/filepath (go native). Only the latest version, 1.7.0, is accepted by our security scan, but 1.7.0 reportedly has a bug (walk EOF error on Windows karrick/godirwalk#70) that is not being fixed or responded to. Also the author wrote this on the readme: "Depending on your specific circumstances, you might no longer need a library for file walking in Go.", linking to an article that seems to imply the go native filepath is now faster than godirwalk

All CI/CD test cases have passed, so hopefully this PR is acceptable.

Thank you!

@cheungaryk cheungaryk marked this pull request as draft December 24, 2024 18:31
@cheungaryk cheungaryk marked this pull request as ready for review December 25, 2024 00:38
@cheungaryk cheungaryk changed the title fix: update vulnerable go dependencies chore: update vulnerable go dependencies Dec 26, 2024
@jdkato jdkato merged commit e73f5cd into errata-ai:v3 Jan 14, 2025
2 checks passed
@jdkato
Copy link
Member

jdkato commented Jan 14, 2025

Thanks for your work here.

In the future, I'd ask to make individual PRs for dependency changes/removals that require code changes so it's easier to review.

For example, the godirwalk removal is technically a breaking change since it doesn't handle symlinks the same way. However, I don't yet have tests that capture this, so I'll work on this before the next release.

@cheungaryk cheungaryk deleted the go-dep-fix branch January 14, 2025 14:29
@cheungaryk
Copy link
Contributor Author

Many thanks @jdkato. If you have a moment, would you mind manually triggering a release? The CI/CD pipeline failed due to 502 error.

tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jan 26, 2025
@tmeijn
build(deps): update errata-ai/vale to v3.9.4
b4ead74 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [errata-ai/vale](https://github.com/errata-ai/vale) | patch | `v3.9.3` -> `v3.9.4` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>errata-ai/vale (errata-ai/vale)</summary>

### [`v3.9.4`](https://github.com/errata-ai/vale/releases/tag/v3.9.4)

[Compare Source](errata-ai/vale@v3.9.3...v3.9.4)

#### Changelog

-   [`0e23567`](errata-ai/vale@0e23567e) refactor: use default location when `dicpath` is not set
-   [`992fddb`](errata-ai/vale@992fddb4) refactor: restrict spell check to word bounded tokens
-   [`7edac53`](errata-ai/vale@7edac539) fix: only use on-disk file extension for config-matching
-   [`00b5b09`](errata-ai/vale@00b5b09a) fix: handle empty replacements ([#&#8203;950](errata-ai/vale#950))
-   [`e73f5cd`](errata-ai/vale@e73f5cdc) chore: update go dependencies ([#&#8203;938](errata-ai/vale#938))
-   [`75ff562`](errata-ai/vale@75ff5627) Introducing Vale Guru on Gurubase.io ([#&#8203;924](errata-ai/vale#924))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMjIuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEyMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cheungaryk @jdkato