-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clean up imports #4
Comments
Actually, the replace directive should make this unnecessary.. But, we should make sure that this actually worked. One thing I've noticed with this regard is that versions of the dependency and the replace version diverge (0.34.0 vs 0.34.1): |
I think that minor version glitch leads to not having the desired effect and the module used is still tendermint/tendermint instead of lazsledger/lazyledger-core. Changing the replace to:
I'm not sure we can use the replace directive like this. |
if a version or commit hash is added to the end of the lazyledger-core replace directive, it does replace, but it causes more errors (which could mean it's working!). I could swear I've used the replace directive before exactly like this, but if I can't get it to work, I'll replace directly as mentioned in #2. That's more explicit too. |
Yeah, that definitely works and there I don't see any reason why not to use the "correct" imports in new code (unless we want to generate the boilerplate again; then we'd need to repeat the search&replace procedure but that that should be simple enough) |
This might mean that you have to replace the imports in the SDK fork first (#2) and update the dependency to the fork in here. Otherwise, not sure if go will be happy with two "different" types (as per the different import paths); probably not. |
To resolve govulncheck issues like: ``` Vulnerability #2: GO-2024-2610 Errors returned from JSON marshaling may break template escaping in html/template More info: https://pkg.go.dev/vuln/GO-2024-2610 Standard library Found in: html/template@go1.22 Fixed in: html/template@go1.22.1 Example traces found: Error: #1: test/util/testnode/rpc_client.go:126:25: testnode.StartAPIServer calls api.Server.Start, which eventually calls template.Template.Execute Error: #2: test/util/testnode/rpc_client.go:126:25: testnode.StartAPIServer calls api.Server.Start, which eventually calls template.Template.ExecuteTemplate Vulnerability #3: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/http@go1.22 Fixed in: net/http@go1.22.1 Example traces found: Error: #1: x/blobstream/client/verify.go:224:39: client.VerifyShares calls http.baseRPCClient.ProveShares, which eventually calls http.Client.Do Error: #2: cmd/celestia-appd/cmd/download_genesis.go:103:[23](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:24): cmd.downloadFile calls http.Get Vulnerability #4: GO-20[24](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:25)-[25](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:26)99 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/textproto@go1.22 Fixed in: net/textproto@go1.22.1 Example traces found: Error: #1: x/blobstream/client/verify.go:202:18: client.VerifyShares calls service.BaseService.Start, which eventually calls textproto.Reader.ReadLine Error: #2: test/e2e/util.go:25:23: e2e.keyGenerator.Generate calls io.ReadFull, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability #5: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/x509@go1.22 Fixed in: crypto/x509@go1.22.1 Example traces found: Error: #1: test/e2e/util.go:25:23: e2e.keyGenerator.Generate calls io.ReadFull, which eventually calls x[50](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:51)9.Certificate.Verify ```
To resolve govulncheck issues like: ``` Vulnerability celestiaorg#2: GO-2024-2610 Errors returned from JSON marshaling may break template escaping in html/template More info: https://pkg.go.dev/vuln/GO-2024-2610 Standard library Found in: html/template@go1.22 Fixed in: html/template@go1.22.1 Example traces found: Error: celestiaorg#1: test/util/testnode/rpc_client.go:126:25: testnode.StartAPIServer calls api.Server.Start, which eventually calls template.Template.Execute Error: celestiaorg#2: test/util/testnode/rpc_client.go:126:25: testnode.StartAPIServer calls api.Server.Start, which eventually calls template.Template.ExecuteTemplate Vulnerability celestiaorg#3: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/http@go1.22 Fixed in: net/http@go1.22.1 Example traces found: Error: celestiaorg#1: x/blobstream/client/verify.go:224:39: client.VerifyShares calls http.baseRPCClient.ProveShares, which eventually calls http.Client.Do Error: celestiaorg#2: cmd/celestia-appd/cmd/download_genesis.go:103:[23](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:24): cmd.downloadFile calls http.Get Vulnerability celestiaorg#4: GO-20[24](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:25)-[25](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:26)99 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/textproto@go1.22 Fixed in: net/textproto@go1.22.1 Example traces found: Error: celestiaorg#1: x/blobstream/client/verify.go:202:18: client.VerifyShares calls service.BaseService.Start, which eventually calls textproto.Reader.ReadLine Error: celestiaorg#2: test/e2e/util.go:25:23: e2e.keyGenerator.Generate calls io.ReadFull, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability celestiaorg#5: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/x509@go1.22 Fixed in: crypto/x509@go1.22.1 Example traces found: Error: celestiaorg#1: test/e2e/util.go:25:23: e2e.keyGenerator.Generate calls io.ReadFull, which eventually calls x[50](https://github.com/celestiaorg/celestia-app/actions/runs/8169780335/job/22334531542?pr=3157#step:4:51)9.Certificate.Verify ```
I quickly skimmed through the imports and it seems that the app imports a mixture of lazyledger-core and github.com/tendermint/tendermint.
The text was updated successfully, but these errors were encountered: