From 717fb50143e409df31cb4433594e588c343b89da Mon Sep 17 00:00:00 2001 From: LaunchDarklyReleaseBot <86431345+LaunchDarklyReleaseBot@users.noreply.github.com> Date: Thu, 19 Jan 2023 12:28:18 -0800 Subject: [PATCH] prepare 7.0.2 release (#216) * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * minimal changes for using prerelease Go SDK v6 (#306) * revise "summarizing" event proxy logic to use new event processor * comments * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * add support & tests for handling any kind of context in eval endpoints * move some constants and test code out of internal/core/internal/... * use a clearer import alias * refactoring * move packages from core/ and core/internal/ to internal/ * fix linting * update Alpine to 3.14.6 for CVE-2022-28391 * merge RelayCore logic into Relay and remove the core package (#315) * merge RelayCore logic into Relay and remove the core package * don't export these fields * fix tests * comment * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * use latest prerelease packages, update for misc SDK API changes (interfaces package) * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * add "context" URL paths for evaluations, update endpoint docs * fix tests * bump minimum Go to 1.18, build images in 1.19 * linter + misc fixes * "latest" Go image is no longer a thing * fix TLS test * fix command to run coverage enforcer * fix vulnerable dependencies * migrate to AWS Go SDK v2 for DynamoDB (#333) * remove obsolete "eval" endpoints superseded by "evalx" (#338) * remove obsolete "eval" endpoints superseded by "evalx" * fix tests & examples * fix more tests * update AWS SDK and related packages on u2c branch (#341) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * use latest Go SDK prerelease packages, update for API changes * lint * streamline test code using go-test-helpers v3 * remove some more unnecessary helpers * fix test app * use latest SDK packages * use Go SDK v6.0.0 and latest releases of database integrations * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 (even though the fix is also bundled in Go 1.19.4) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * prepare 6.7.15 release (#212) * don't return 503 if SDK initialization has timed out * add in-repo docs about error/503 behavior (#249) * [ch102255] BigSegments DynamoDB (#245) * add init timeout config option + better test coverage + misc refactoring (#250) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.15 * redo the security patch by updating go.mod for all builds; drop Go 1.16 * prepare 6.7.16 release (#214) * [ch102255] BigSegments DynamoDB (#245) * add init timeout config option + better test coverage + misc refactoring (#250) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * redo the security patch by updating go.mod for all builds; drop Go 1.16 Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.16 * update Redis/DDB integrations to remove misleading error logging * prepare 6.7.17 release (#215) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * redo the security patch by updating go.mod for all builds; drop Go 1.16 * update Redis/DDB integrations to remove misleading error logging Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.17 Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld --- CHANGELOG.md | 17 +++++++++++++++++ Makefile | 4 ++-- docs/windows.md | 2 ++ go.mod | 6 +++--- go.sum | 12 ++++++------ scripts/run-goreleaser.sh | 15 +++++++++++++++ 6 files changed, 45 insertions(+), 11 deletions(-) create mode 100755 scripts/run-goreleaser.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index a847c327..fb4b7a31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,20 @@ All notable changes to the LaunchDarkly Relay will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org). +## [6.7.17] - 2023-01-17 +### Fixed: +- Removed logging of "Big Segment store status query" error messages in a situation where the Relay Proxy has not been able to synchronize Big Segment data with LaunchDarkly. These messages were redundant since there is already a different and clearer error being logged for the synchronization failure. + +## [6.7.16] - 2023-01-06 +*The 6.7.15 release was incomplete and has been skipped.* + +### Changed: +- It is no longer possible to build the Relay Proxy from source code in Go 1.16, or to import it as a module in a Go 1.16 project. This is because the security patch described below is not possible for Go 1.16. Although LaunchDarkly tries to maintain compatibility with old platform versions within the same major version of a LaunchDarkly product, maintaining support for Relay Proxy 6.x requires that we patch security vulnerabilities for the most common use cases; building Relay from source code with an EOL Go version is an uncommon use case. +- Updated Alpine to 3.16.3 in the published Docker image. + +### Fixed: +- Updated Go networking code to address CVE-2022-41717. ([#210](https://github.com/launchdarkly/ld-relay/issues/210)) + ## [7.0.1] - 2022-12-29 ### Changed: - Updated Alpine to 3.16.3 in the published Docker image. @@ -9,6 +23,9 @@ All notable changes to the LaunchDarkly Relay will be documented in this file. T ### Fixed: - Updated Go to 1.19.4 in the published Docker image and executables, to address CVE-2022-41717. ([#210](https://github.com/launchdarkly/ld-relay/issues/210)) +### Fixed: +- Updated Go to 1.19.4 in the published Docker image and executables, to address CVE-2022-41717. ([#210](https://github.com/launchdarkly/ld-relay/issues/210)) + ## [7.0.0] - 2022-12-07 The latest version of the Relay Proxy supports LaunchDarkly's new custom contexts feature. Contexts are an evolution of a previously-existing concept, "users." Contexts let you create targeting rules for feature flags based on a variety of different information, including attributes pertaining to users, organizations, devices, and more. You can even combine contexts to create "multi-contexts." diff --git a/Makefile b/Makefile index 8ae34004..515d93a5 100644 --- a/Makefile +++ b/Makefile @@ -69,10 +69,10 @@ RELEASE_CMD=curl -sL https://git.io/goreleaser | GOPATH=$(mktemp -d) VERSION=$(G # because during a release, we may need to run this command under another account and we # don't want to mess up file permissions in the regular GOPATH. publish: - $(RELEASE_CMD) + GORELEASER_VERSION=$(GORELEASER_VERSION) ./scripts/run-goreleaser.sh products-for-release: - $(RELEASE_CMD) --skip-publish --skip-validate + GORELEASER_VERSION=$(GORELEASER_VERSION) ./scripts/run-goreleaser.sh --skip-publish --skip-validate DOCKER_COMPOSE_TEST=docker-compose -f docker-compose.test.yml diff --git a/docs/windows.md b/docs/windows.md index 218813b1..10c414e3 100644 --- a/docs/windows.md +++ b/docs/windows.md @@ -10,6 +10,8 @@ go build This creates the executable `ld-relay.exe`. +The Go version must be at least 1.17. + Then, to register it as a service, use: ```shell diff --git a/go.mod b/go.mod index 06a48988..2b6fcb5f 100644 --- a/go.mod +++ b/go.mod @@ -35,10 +35,10 @@ require ( github.com/launchdarkly/go-sdk-common/v3 v3.0.0 github.com/launchdarkly/go-sdk-events/v2 v2.0.0 github.com/launchdarkly/go-server-sdk-consul/v2 v2.0.2 - github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.1 + github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.2 github.com/launchdarkly/go-server-sdk-evaluation/v2 v2.0.1 - github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.0 - github.com/launchdarkly/go-server-sdk/v6 v6.0.0 + github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.1 + github.com/launchdarkly/go-server-sdk/v6 v6.0.1 github.com/launchdarkly/go-test-helpers/v3 v3.0.2 github.com/launchdarkly/opencensus-go-exporter-stackdriver v0.14.2 github.com/pborman/uuid v1.2.0 diff --git a/go.sum b/go.sum index ef5353c2..e4d9bab7 100644 --- a/go.sum +++ b/go.sum @@ -337,14 +337,14 @@ github.com/launchdarkly/go-semver v1.0.2 h1:sYVRnuKyvxlmQCnCUyDkAhtmzSFRoX6rG2Xa github.com/launchdarkly/go-semver v1.0.2/go.mod h1:xFmMwXba5Mb+3h72Z+VeSs9ahCvKo2QFUTHRNHVqR28= github.com/launchdarkly/go-server-sdk-consul/v2 v2.0.2 h1:VRw5d/ZfsE5SXBZEkL6HAB0kAZ+Pjx65VgTjEY3NLfg= github.com/launchdarkly/go-server-sdk-consul/v2 v2.0.2/go.mod h1:2OaLMRPYkbRMOoCuvC9mYe7WTX6L3r1UB5JLfzCEcQI= -github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.1 h1:vPWx/+NoaKf1bKjSBoAIIgwHJmcQ8WR/CzxlvxfPhBo= -github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.1/go.mod h1:71DgT+jRxako7BdxK3jbkmY7uzKNaZUcQmTcbGer6LA= +github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.2 h1:KDQF54wCxv7QrJd4wtX0b/5jv8VuPx3csA74CKKf9IQ= +github.com/launchdarkly/go-server-sdk-dynamodb/v3 v3.0.2/go.mod h1:Z3ra3UxVhtzDqhD933cyYSQBYKh58+39ctEvDy+UKws= github.com/launchdarkly/go-server-sdk-evaluation/v2 v2.0.1 h1:5SQ8zVA7x2fRJALxOPcWe3pEi8Kk8VzD1U3ePBzpHyE= github.com/launchdarkly/go-server-sdk-evaluation/v2 v2.0.1/go.mod h1:sIHB2aMLbOQ5nqKgxplOv4ubG0N1DHONEe520tWjV9Y= -github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.0 h1:0hUYHS9H9lTMASq3cmKyTaJQI7u7cRFDpmOAf54OEuU= -github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.0/go.mod h1:OI9gJjhTfiqkFGnYrMcrQ603Ya9piZe3s+5ikRB7WEY= -github.com/launchdarkly/go-server-sdk/v6 v6.0.0 h1:HxGYvpjNGVnEf0xxdMp4bHVi/AccEgny9V1ksWvT/BI= -github.com/launchdarkly/go-server-sdk/v6 v6.0.0/go.mod h1:qNU5R3S0VYLbKwTYnLk69Wq51ogFFPmA83S00E++CVg= +github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.1 h1:MI/H+gSFm8bWkJBj5z3VIAyp0ZVpi4DTROPoctO1iZI= +github.com/launchdarkly/go-server-sdk-redis-redigo/v2 v2.0.1/go.mod h1:yoS5CRHNw8qvIrZ1koumAQ95cntJtAYByPtlTd5G77E= +github.com/launchdarkly/go-server-sdk/v6 v6.0.1 h1:rMkZJFfImRuB5iyqkan6CAO2HTeVP1eV28K1N+GRXes= +github.com/launchdarkly/go-server-sdk/v6 v6.0.1/go.mod h1:qNU5R3S0VYLbKwTYnLk69Wq51ogFFPmA83S00E++CVg= github.com/launchdarkly/go-test-helpers/v2 v2.2.0/go.mod h1:L7+th5govYp5oKU9iN7To5PgznBuIjBPn+ejqKR0avw= github.com/launchdarkly/go-test-helpers/v2 v2.3.2 h1:WX6qSzt7v8xz6d94nVcoil9ljuLTC/6OzQt0MhWYxsQ= github.com/launchdarkly/go-test-helpers/v3 v3.0.2 h1:rh0085g1rVJM5qIukdaQ8z1XTWZztbJ49vRZuveqiuU= diff --git a/scripts/run-goreleaser.sh b/scripts/run-goreleaser.sh new file mode 100755 index 00000000..230f5d64 --- /dev/null +++ b/scripts/run-goreleaser.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# run-goreleaser.sh ... +# +# Builds the Docker image and all other executables that we intend to publish. +# This also pushes the image to DockerHub unless we have specifically told it not to with +# the --skip-publish option. + +GORELEASER_VERSION=${GORELEASER_VERSION:-v0.141.0} + +# Get the lines added to the most recent changelog update (minus the first 2 lines) +RELEASE_NOTES=`(GIT_EXTERNAL_DIFF='bash -c "diff --unchanged-line-format=\"\" $2 $5" || true' git log --ext-diff -1 --pretty= -p CHANGELOG.md)` + +curl -sL https://git.io/goreleaser | GOPATH=`mktemp -d` VERSION=${GORELEASER_VERSION} bash -s -- \ + --rm-dist --release-notes <(echo "${RELEASE_NOTES}") $@