-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix protobuf vulnerability #245
Conversation
9a153a2
to
4a2999e
Compare
Codecov Report
@@ Coverage Diff @@
## master #245 +/- ##
=======================================
Coverage 92.07% 92.07%
=======================================
Files 6 6
Lines 757 757
=======================================
Hits 697 697
Misses 39 39
Partials 21 21 Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
go.mod
Outdated
@@ -24,3 +24,5 @@ require ( | |||
k8s.io/client-go v0.17.17 | |||
sigs.k8s.io/controller-runtime v0.5.0 | |||
) | |||
|
|||
replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's pull this in as an indirect dependency. Replaces can have issues when upgrading deps later on, so I'd prefer to avoid them.
Running this command pulled in the new version to go.mod
for me:
go get github.com/gogo/protobuf@latest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JohnStarich , fixed per comment, Also, the softlayer-go package is updated along with the go mod tidy
cmd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JohnStarich , can you review again?
0244c2a
to
b265b1c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the dependency scan is now failing. I think if you add back the indirect deps for etcd and web socket, that should fix it.
Signed-off-by: Liu Ying <[email protected]>
b265b1c
to
5b8282d
Compare
@JohnStarich thanks , updated :-) |
To fix the golang/protobuf vulnerability
Given it is not explicitly required, I tend to use replace to pin the correct version.