-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Go and golang.org/x/... to recent versions #527
Conversation
Mitigations to CVE-2023-44487 were added to golang.org/x/net v0.17 (c4e9120) and in Go v1.20.10[1]. This PR bumps Go to v1.20 to benefit from the patches to the standard library. Aside, this patch also bump the pseudo-standard golang.org/x/... libraries to their latest available version for good measure. [1]: https://pkg.go.dev/vuln/GO-2023-2102
/cc dobsonj |
This change brings no changes in the current code, but asserts that potential future additions use updated versions of the dependencies.
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, pierreprinetti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Mitigations to CVE-2023-44487 were added to golang.org/x/net v0.17 (c4e9120) and in Go v1.20.10. This PR bumps Go to v1.20 to benefit from the patches to the standard library.
This PR also updates:
This update is not meant to change the current production code, but rather to harden future additions and make sure they rely on patched dependencies.
Does this PR introduce a user-facing change?: