-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: update github.com/containerd/ttrpc v1.2.5 to be aligned with containerd #10366
Conversation
@@ -3,7 +3,7 @@ module github.com/containerd/containerd/api | |||
go 1.21 | |||
|
|||
require ( | |||
github.com/containerd/ttrpc v1.2.3 | |||
github.com/containerd/ttrpc v1.2.4 | |||
github.com/containerd/typeurl/v2 v2.1.1 | |||
github.com/opencontainers/image-spec v1.1.0 | |||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW; this one is ahead of the 1.7 api module. Not sure if problematic for 1.7 consumers, but we could (if it is) downgrade this to a lower "minimum required" version; googleapis/go-genproto@b8732ec...c3f9821
Why is an indirect dependency bumped in a separate commit? Is that version updated manually? |
Yes, the automatic minimum version is determined through the minimum required version in the dependency graph; currently that's through go mod graph | grep ' github.com/sirupsen/logrus'
github.com/containerd/containerd/api github.com/sirupsen/[email protected]
github.com/containerd/[email protected] github.com/sirupsen/[email protected] That's the minimum required version, so it's allowed to pick any compatible version above; in this case, we know we will be using 1.9.3, because that's what any version of containerd that will use the API module already uses, but older versions of logrus had some race conditions, and versions before 1.8.3 had a potential DOS when writing large messages, so we should try to get older version out of the list. FWIW; once / if we update ttrpc to v1.2.5 with containerd/ttrpc#169, the version will be automatically raised as |
@thaJeztah That commit should be dropped then, the api package should stay at minimums and let the binary packages be responsible for bumping versions. |
Update the dependency and the indirect golang.org/x/net version to align with containerd itself, and to prevent a vulnerability being detected. We should keep the versions <= versions used by containerd 1.7 to prevent forcing users of containerd 1.7 in combination with the latest version of the API module from having to update all their dependencies, but this update should likely be fine (and aligns with 1.7). Before this: Scanning your code and 254 packages across 15 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability containerd#1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: containerd#1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error containerd#2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String containerd#3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String containerd#4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String containerd#5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String containerd#6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String containerd#7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error containerd#8: services/content/v1/content_ttrpc.pb.go:272:35: content.ttrpccontentClient.Write calls ttrpc.Client.NewStream, which eventually calls http2.chunkWriter.Write containerd#9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error containerd#10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error containerd#11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error containerd#12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error containerd#13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error containerd#14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <[email protected]>
ef11787
to
cb38b1e
Compare
updated to ttrpc v1.2.5, and opened #10372 for containerd itself |
👍 looks like CRIU packages are working again; all green now PTAL |
api: update github.com/containerd/ttrpc v1.2.5
Update the dependency and the indirect golang.org/x/net version to align
with containerd itself, and to prevent a vulnerability being detected.
We should keep the versions <= versions used by containerd 1.7 to prevent
forcing users of containerd 1.7 in combination with the latest version
of the API module from having to update all their dependencies, but
this update should likely be fine (and aligns with 1.7).
Before this:
After this:
api: update github.com/sirupsen/logrus v1.9.3
Align with the version used by containerd itself.
We should keep the versions <= versions used by containerd 1.7 to prevent
forcing users of containerd 1.7 in combination with the latest version
of the API module from having to update all their dependencies, but
this update should likely be fine (and aligns with 1.7).