-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.7]: api: update github.com/containerd/ttrpc v1.2.5 to align with containerd 1.7 module #10364
Conversation
This bumps them ahead of what is in main, I'm fine taking these updates though |
Oh! In the API module in main you mean? That's a good point, I didn't check that one; I checked against the containerd "main" module in the 1.7 branch. We should probably do the same in API 1.8.x. That one could keep a minimum version similar to the 1.7 branch (to prevent a user of 1.7 containerd with API 1.8 from being forced to update everything. |
|
Looks like CI is happy 🥳 |
@dmcgowan ptal; 🤗 |
I'm -1 for bumping indirect packages through the api module. The binary packages should be responsible for that. We should get the ttrpc bump in though since that is direct and relevant. |
The point is that we won't be able to get rid of the vulnerable |
If it is important to update, then we should update and tag through ttrpc since that is the direct dependency, not through the API module. I don't think that is a good reason to update indirects in a library package, the importing packages will still be able to choose their versions. |
059243e
to
5aaf1c1
Compare
I stacked this on top of #10373, so will temporarily move back to draft. The good news; go modules was dreaming up the dependency; cleaning up the go.mod after updating made it disappear. |
Update the dependency and the indirect golang.org/x/net version to align with containerd 1.7 itself, and to prevent a vulnerability being detected. This should not generally be an issue, as the API module is used by containerd 1.7 and up, which already depend on a more current version of these dependencies. full diff: containerd/ttrpc@v1.2.3...v1.2.5 Before this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability containerd#1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: containerd#1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error containerd#2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String containerd#3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String containerd#4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String containerd#5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String containerd#6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String containerd#7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error containerd#8: services/version/v1/version_grpc.pb.go:13:2: version.init calls status.init, which eventually calls http2.chunkWriter.Write containerd#9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error containerd#10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error containerd#11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error containerd#12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error containerd#13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error containerd#14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <[email protected]>
5aaf1c1
to
2a6aa6d
Compare
Rebased after #10373 was merged; this should be ready for review 👍 |
[release/1.7] api: update github.com/containerd/ttrpc v1.2.5
Update the dependency and the indirect golang.org/x/net version to align
with containerd 1.7 itself, and to prevent a vulnerability being detected.
This should not generally be an issue, as the API module is used by
containerd 1.7 and up, which already depend on a more current version of
these dependencies.
Before this:
After this: