Fix go-git and Google API dependency vulnerabilities #684
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey @mickael-kerjean , I just wanted to call attention to this. I rely on this application (thank you btw!), but AWS is reporting these CVEs on the container scans. The dependency updates appear to be fully backwards-compatible, but I'm not able to verify 100%. |
|
It will take a bit of time to review as I don't want to introduce some weird issue by upgrading some deps |
|
Totally reasonable. I reviewed the two dependencies' changelogs and didn't see any breaking changes outside of go-git's renamed package, but there is a fair bit of indirect dependency updates too. Let me know if I can help in any way. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes several CVEs that have been reported, but primarily targets these two:
Steps taken
go.modandgo.sumchanges were auto-generated by running:go get github.com/go-git/go-git/v5go get google.golang.org/apigo mod tidy