Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update go to 1.24.0 #168

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update go to 1.24.0 #168

wants to merge 1 commit into from

Conversation

daniel-palmer-gu
Copy link

@daniel-palmer-gu daniel-palmer-gu commented Feb 13, 2025
edited by jbw976
Loading

Updates go to 1.24.0 to address the vulnerabilities tied to 1.23.3

Context:

They are all found within /function when scanning the container

id source severity package
CVE-2025-22866 Anchore CVE Medium stdlib-go1.23.4
CVE-2025-22866 Twistlock CVE Low crypto/internal/nistec-1.23.4

Affected version: v0.8.1

Closes #161

chore(deps): update go to 1.24.0
f0e3043 
Signed-off-by: Daniel Palmer <daniel.palmer@structsure.co>
jbw976
jbw976 reviewed Feb 17, 2025
View reviewed changes
Copy link
Member

@jbw976 jbw976 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking the initiative @daniel-palmer-gu to find all the go version locations and get them all updated, something that #161 could not do, as you called out in #169. That's very helpful! From a quick search, these look like all the places we specify the go version to me too.

I approved the CI run and it looks like lint is failing with a version incompatibility:
https://github.com/crossplane-contrib/function-patch-and-transform/actions/runs/13315888635/job/37350843155?pr=168

run golangci-lint
  Running [/home/runner/golangci-lint-1.62.2-linux-amd64/golangci-lint config path] in [/home/runner/work/function-patch-and-transform/function-patch-and-transform] ...
  Running [/home/runner/golangci-lint-1.62.2-linux-amd64/golangci-lint run] in [/home/runner/work/function-patch-and-transform/function-patch-and-transform] ...
  level=warning msg="[config_reader] The configuration option `run.skip-files` is deprecated, please use `issues.exclude-files`."
  level=warning msg="[config_reader] The configuration option `output.format` is deprecated, please use `output.formats`"
  level=warning msg="[config_reader] The configuration option `linters.errcheck.ignore` is deprecated, please use `linters.errcheck.exclude-functions`."
  Error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24.0)
  Failed executing command with error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24.0)

Maybe we need to bump GOLANGCI_VERSION also? But just skimming around their repo, it's not clear if golang 1.24 is supported yet. golangci/golangci-lint#5225 looks relevant 🤔

@jbw976 jbw976 mentioned this pull request Feb 17, 2025
Open
1 task
@daniel-palmer-gu
Copy link
Author

Hmmm. If we think 1.24 isn't supported yet, I bet we can bump patch versions from 1.23.4 -> 1.23.6. Possible that could be all that is needed to address the findings. I'll update my PR when I get a moment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbw976 jbw976 jbw976 left review comments

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniel-palmer-gu @jbw976