Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Go and golang.org/x/... to recent versions #527

Merged
merged 2 commits into from
Oct 20, 2023

Conversation

pierreprinetti
Copy link
Contributor

@pierreprinetti pierreprinetti commented Oct 19, 2023

What type of PR is this?
/kind bug

What this PR does / why we need it:
Mitigations to CVE-2023-44487 were added to golang.org/x/net v0.17 (c4e9120) and in Go v1.20.10. This PR bumps Go to v1.20 to benefit from the patches to the standard library.

This PR also updates:

  • golang.org/x/... libraries
  • k8s.io/apiserver
  • k8s.io/apimachinery

This update is not meant to change the current production code, but rather to harden future additions and make sure they rely on patched dependencies.

Does this PR introduce a user-facing change?:

none

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 19, 2023
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 19, 2023
Mitigations to CVE-2023-44487 were added to golang.org/x/net v0.17
(c4e9120) and in Go v1.20.10[1]. This PR
bumps Go to v1.20 to benefit from the patches to the standard library.

Aside, this patch also bump the pseudo-standard golang.org/x/...
libraries to their latest available version for good measure.

[1]: https://pkg.go.dev/vuln/GO-2023-2102
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 19, 2023
@pierreprinetti
Copy link
Contributor Author

/cc dobsonj

@k8s-ci-robot k8s-ci-robot requested a review from dobsonj October 19, 2023 15:07
This change brings no changes in the current code, but asserts that
potential future additions use updated versions of the dependencies.
@MaysaMacedo
Copy link

LGTM

Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, pierreprinetti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 20, 2023
@k8s-ci-robot k8s-ci-robot merged commit 32d2422 into kubernetes-csi:master Oct 20, 2023
11 checks passed
@pierreprinetti pierreprinetti deleted the bump branch October 20, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants