-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ARROW-16759: [Go] update testify to get security patch for gopkg.in/yaml.v3 (v7) #13322
ARROW-16759: [Go] update testify to get security patch for gopkg.in/yaml.v3 (v7) #13322
Conversation
Thanks for opening a pull request! If this is not a minor PR. Could you open an issue for this pull request on JIRA? https://issues.apache.org/jira/browse/ARROW Opening JIRAs ahead of time contributes to the Openness of the Apache Arrow project. Then could you also rename pull request title in the following format?
or
See also: |
|
@dominicbarnes Please run As for backporting the change to the previous versions, can you send an email to the arrow dev mailing list to propose patch releases of v6.0.2, v7.0.1, and v8.0.1? Link this PR in the email please. Unfortunately the release process, even for patch releases like this, is still a manual process that needs to get approved by the PMC, so the best route here would be to bring the discussion up there and then we can move forward. Thanks! |
f8482aa
to
89a0b8f
Compare
@zeroshade I've rebased the PR, which seems to have included some JS changes during the process, though once I've completed there are no longer changes to JS. Once merged, I'll send that email and start the process of getting this patch backported. |
@dominicbarnes Perfect, i'll merge this and reply to the email to help start the process of backporting the patch. Thanks! |
Benchmark runs are scheduled for baseline = 1de30af and contender = 6af8b47. 6af8b47 is a master commit associated with this PR. Results will be available as each benchmark for each run completes. |
['Python', 'R'] benchmarks have high level of regressions. |
@zeroshade thanks for getting this merged! How can I help getting the fix backported? |
@dominicbarnes @zeroshade Could you create pull requests against We can reuse ARROW-16759 for them. We will add |
…aml.v3 (v7) This PR updates the github.com/stretchr/testify dependency to get a security patch for gopkg.in/yaml.v3 which has a DoS exploit. See stretchr/testify#1192 for more details. I'm unsure how this project handles security patches for appears to be older versions. I'm here because I have dependencies that rely on v7, so that's what is bringing me here to make this very particular change. It looks like v6.0.0 and v6.0.1 tags exist, so I expect merging this here and tagging v7.0.1 would be the path forward. If not, let me know what would be preferred. The linked Jira issue also calls out v8.0.0 as having the same vulnerability, but that would need to be addressed in it's own PR. Closes apache#13322 from dominicbarnes/go-security-patch-testify Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Matthew Topol <mtopol@factset.com>
…aml.v3 (v7) This PR updates the github.com/stretchr/testify dependency to get a security patch for gopkg.in/yaml.v3 which has a DoS exploit. See stretchr/testify#1192 for more details. I'm unsure how this project handles security patches for appears to be older versions. I'm here because I have dependencies that rely on v7, so that's what is bringing me here to make this very particular change. It looks like v6.0.0 and v6.0.1 tags exist, so I expect merging this here and tagging v7.0.1 would be the path forward. If not, let me know what would be preferred. The linked Jira issue also calls out v8.0.0 as having the same vulnerability, but that would need to be addressed in it's own PR. Closes apache#13322 from dominicbarnes/go-security-patch-testify Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Matthew Topol <mtopol@factset.com>
…aml.v3 (v7) This PR updates the github.com/stretchr/testify dependency to get a security patch for gopkg.in/yaml.v3 which has a DoS exploit. See stretchr/testify#1192 for more details. I'm unsure how this project handles security patches for appears to be older versions. I'm here because I have dependencies that rely on v7, so that's what is bringing me here to make this very particular change. It looks like v6.0.0 and v6.0.1 tags exist, so I expect merging this here and tagging v7.0.1 would be the path forward. If not, let me know what would be preferred. The linked Jira issue also calls out v8.0.0 as having the same vulnerability, but that would need to be addressed in it's own PR. Closes apache#13322 from dominicbarnes/go-security-patch-testify Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Matthew Topol <mtopol@factset.com>
@kou see the linked PRs above, let me know if this is what you were expecting. |
) This PR is a backport of #13322 for v6. The cherry-pick did create some merge conflicts that needed to be resolved. Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
) This PR is a backport of #13322 for v7. Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
) This PR is a backport of #13322 for v8. Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
…aml.v3 (v7) This PR updates the github.com/stretchr/testify dependency to get a security patch for gopkg.in/yaml.v3 which has a DoS exploit. See stretchr/testify#1192 for more details. I'm unsure how this project handles security patches for appears to be older versions. I'm here because I have dependencies that rely on v7, so that's what is bringing me here to make this very particular change. It looks like v6.0.0 and v6.0.1 tags exist, so I expect merging this here and tagging v7.0.1 would be the path forward. If not, let me know what would be preferred. The linked Jira issue also calls out v8.0.0 as having the same vulnerability, but that would need to be addressed in it's own PR. Closes apache#13322 from dominicbarnes/go-security-patch-testify Authored-by: Dominic Barnes <dominic@dbarnes.info> Signed-off-by: Matthew Topol <mtopol@factset.com>
This PR updates the github.com/stretchr/testify dependency to get a security patch for gopkg.in/yaml.v3 which has a DoS exploit. See stretchr/testify#1192 for more details.
I'm unsure how this project handles security patches for appears to be older versions. I'm here because I have dependencies that rely on v7, so that's what is bringing me here to make this very particular change. It looks like v6.0.0 and v6.0.1 tags exist, so I expect merging this here and tagging v7.0.1 would be the path forward. If not, let me know what would be preferred.
The linked Jira issue also calls out v8.0.0 as having the same vulnerability, but that would need to be addressed in it's own PR.