Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go mod deps, regenerate /vendor #1139

Merged
merged 1 commit into from
Oct 6, 2021
Merged

Update go mod deps, regenerate /vendor #1139

merged 1 commit into from
Oct 6, 2021

Conversation

dekkagaijin
Copy link
Contributor

@dekkagaijin dekkagaijin commented Oct 5, 2021
edited

Make dependabot & consumers happy. This silences a dependabot vuln alert for containerd which does not affect go-containerregistry but does show up on a scan of our dependency graph.

Generated by:

$ go get -u ./...
$ go mod tidy
$ go mod vendor

@codecov-commenter
Copy link

codecov-commenter commented Oct 5, 2021
edited

Codecov Report

Merging #1139 (638022a) into main (230ff8e) will not change coverage.
The diff coverage is n/a.

❗ Current head 638022a differs from pull request most recent head ec77da7. Consider uploading reports for the commit ec77da7 to get more accurate results
Impacted file tree graph

@@     Coverage Diff      @@
##   main   #1139   +/-   ##
============================
============================

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 230ff8e...ec77da7. Read the comment docs.

@imjasonh
Copy link
Collaborator

imjasonh commented Oct 5, 2021

Can you cite an unhappy consumer today? What's being fixed?

@dekkagaijin
Copy link
Contributor Author

Can you cite an unhappy consumer today?

Dependabot, at least for containerd/containerd < 1.5.7

@imjasonh
Copy link
Collaborator

imjasonh commented Oct 5, 2021
edited

Your PR description could use some work.

  • This looks like a generated change. If it is, how was it generated? go get -u ./...?
    • Knowing roughly the steps it took to make this change helps ensure this isn't going to cause other issues, and helps reproduce the change if there are any questions.
    • If updating containerd was the goal, why not go get -u github.com/containerd/containerd?
  • This seems to be motivated by the presence of a Dependabot alert here. Is it?
    • The vulnerabilities described there don't seem to affect go-containerregistry or its users, since containerd isn't used to pull images. Do you believe this change fixes a real issue, or just accounts for a spurious warning?

In any case, thanks for doing this. I'd just like to understand more the thought process behind it.

Update go mod deps to latest releases, run go mod tidy and `go mod …
568be81 
…vendor`

Signed-off-by: Jake Sanders <jsand@google.com>
@dekkagaijin
Copy link
Contributor Author

Updated the commit and PR comment.

I agree that go-containerregistry isn't affected, but it costs ~nothing to get rid of the warning and avoid any potential future fire drill(s) as scanners pick it up

@dekkagaijin dekkagaijin merged commit 72ae53c into google:main Oct 6, 2021
@dekkagaijin dekkagaijin deleted the deps branch October 6, 2021 16:56
@imjasonh imjasonh mentioned this pull request Oct 7, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dekkagaijin @codecov-commenter @imjasonh