Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor: golang.org/x/[email protected] #4280

Merged
merged 1 commit into from
May 16, 2024
Merged

vendor: golang.org/x/[email protected] #4280

merged 1 commit into from
May 16, 2024

Conversation

austinvazquez
Copy link
Contributor

@austinvazquez austinvazquez commented May 14, 2024
edited
Loading

Issue

Follow-up to #4244 which silenced warnings in release/1.1.

Description

This change vendors golang.org/x/[email protected] to silence security warnings for https://pkg.go.dev/vuln/GO-2024-2687.

runc takes a dependency on net/bpf only and would not be impacted by the HTTP2 vulnerability reported.

Minimum version required to silence warnings is golang.org/x/[email protected]; however, upgrading to v0.24.0 to align main with release branch.

@austinvazquez
vendor: golang.org/x/[email protected]
6ab3d8a 
This change vendors golang.org/x/[email protected] to silence security
warnings for https://pkg.go.dev/vuln/GO-2024-2687.

runc takes a dependency on net/bpf only and would not be impacted by the
HTTP2 vulnerability reported.

Signed-off-by: Austin Vazquez <[email protected]>
thaJeztah
thaJeztah approved these changes May 16, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit 4e8cf27 into opencontainers:main May 16, 2024
40 checks passed
@austinvazquez austinvazquez deleted the vendor-x-net-0.24.0 branch May 16, 2024 10:27
@lifubang
Copy link
Member

Just curious that why github dependency bot did not open a PR when there was a new release of these packages?

@thaJeztah
Copy link
Member

Good question; was wondering that as well (I initially thought it may not be checking every day, but it looks to be configured daily for the main branch? 🤔

@lifubang lifubang mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@austinvazquez @lifubang @thaJeztah @AkihiroSuda