Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcs/v2: bump cloud.google.com/go/storage to 1.34.0 #488

Merged
merged 3 commits into from
May 17, 2024
Merged

gcs/v2: bump cloud.google.com/go/storage to 1.34.0 #488

merged 3 commits into from
May 17, 2024

Conversation

lbajolet-hashicorp
Copy link

The storage library that gcs depends on transitively imports grpc in version 1.50.0, which is vulnerable to GHSA-m425-mq94-257g.

While this is a server-side vulnerability, therefore the package is not directly vulnerable (nor its clients), this dependency still causes advisories to be produced against this package, so we update those now.

@lbajolet-hashicorp lbajolet-hashicorp force-pushed the v2_update_gcs_storage_dep branch 2 times, most recently from 94876cc to 2d75a1c Compare April 18, 2024 19:49
@lbajolet-hashicorp
gcs/v2: bump cloud.google.com/go/storage to 1.35.0
d9b73be 
The storage library that gcs depends on transitively imports grpc in
version 1.50.0, which is vulnerable to GHSA-m425-mq94-257g.

While this is a server-side vulnerability, therefore the package is not
directly vulnerable (nor its clients), this dependency still causes
advisories to be produced against this package, so we update those now.
@lbajolet-hashicorp
.github: run tests on go 1.19, 1.20 and 1.21
ce9510d 
Sicne we require go v1.19 now at minimum, we cannot run tests on go
v1.17 or v1.18 anymore.

Since there are more recent versions of Go available as well, we start
testing the packages on those versions in addition to 1.19.
@lbajolet-hashicorp
.github: remove trailing whitespaces
9c95e67
JenGoldstrich
JenGoldstrich approved these changes Apr 19, 2024
View reviewed changes
Copy link

@JenGoldstrich JenGoldstrich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, we should document the removal of go 1.17 and 1.18 support in the release notes but it makes sense that we need to remove those as the tests no longer work on newer dependency versions.

nywilken
nywilken approved these changes May 7, 2024
View reviewed changes
Copy link
Member

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nywilken nywilken merged commit bd0bfb5 into v2 May 17, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nywilken nywilken nywilken approved these changes

@JenGoldstrich JenGoldstrich JenGoldstrich approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lbajolet-hashicorp @nywilken @JenGoldstrich