bump deps: glog, grpc, x/oauth2 #1211
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ffromani The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
bump deps to proactive remove possible vulnerabilities. Note our production code is NOT AFFECTED by none of the listed vulnerabilities, because we do not use in production code. Some code (glog, grpc) is used by a tool we have to support testing - so not meant to be anywhere near production sites; the other dep is used as package, but we don't physically pull the affected file pertaining to a functionality we don't need. glog -> 1.2.4 related to: GO-2025-3372 oauth2 -> 0.26 related to: GO-2025-3488 gprc -> 1.56.3 related to: GO-2023-2153 Still, we bump the deps to the last version which is compatible with the golang version we use in this branch, to be proactive. Signed-off-by: Francesco Romani <[email protected]>
shajmakh
added a commit
to shajmakh/numaresources-operator
that referenced
this pull request
Jul 14, 2025
`go mod tidy` automatically updates the Go directives to point to the minimum golang version that is required by the dependencies. Ideally this should run on every update that involves `go.mod` updates. oauth2 v0.27.0 requires at least Go v1.23 hence runnig `go mod tidy` would automatically bump Go directive and toolchain to the minimum Go version needed, v1.23. This conflicts with openshift conventions of dependencies for related containers. The bump to v0.27 was originally done in openshift-kni#1211 but didn't have the bump of Go directive. Since we want to proceed with 1.22 for 4.18 we want to downgrade oauth2 version to v0.26 at most while preserving goal of openshift-kni@a553b30 as v0.26 needs at least Go 1.18 https://github.com/golang/oauth2/blob/v0.26.0/go.mod which in turn will preserve the current Go v1.22 for 4.18. Signed-off-by: Shereen Haj <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bump deps to proactive remove possible vulnerabilities. Note our production code is NOT AFFECTED by none of the listed vulnerabilities, because we do not use in production code.
Some code (glog, grpc) is used by a tool we have to support testing - so not meant to be anywhere near production sites; the other dep is used as package, but we don't physically pull the affected file pertaining to a functionality we don't need.
glog -> 1.2.4 related to: GO-2025-3372
oauth2 -> 0.26 related to: GO-2025-3488
gprc -> 1.56.3 related to: GO-2023-2153
Still, we bump the deps to the last version which is compatible with the golang version we use in this branch, to be proactive.