-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 Bump golang.org/x/text to v0.3.7 #2438
Conversation
Signed-off-by: Paulo Gomes <pjbgf@linux.com>
@camilamacedo86 following up the meeting today, would you mind taking a look at this PR please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK this won't actually change the version used by dependencies, and kubebuilder doesn't use this dep directly. Use a replace
directive instead
replace golang.org/x/text => golang.org/x/text v0.3.7
@estroz Thank you for reviewing this PR. I believe the difference between the two approaches is that one defines the minimum version of the indirect dependency, and the other replaces all references to it. For example, the current approach relies on golang MVS to find the minimum required version on
If we were to use replace instead (e.g.
Meaning that in the future when our direct dependencies start requiring a version newer than that, it would still be replaced by Please let me know whether that's still the preferred approach and I will amend the PR accordingly. PS: This was already tested on security-profiles-operator with the desired effect confirmed through deps.dev. |
HI @rashmigottipati and @estroz, Following my review: First, the mojo here would be However, why do we need to bump only this indirect dep? Could we not just:
And then, update all indeed the go version which is a requirement tracked in the repo? Would not that make more sense? /hold Could we solve the need to update this dep by updating the go version? Is that OK for you @rashmigottipati? WDYT? |
@pjbgf I was not aware that $ go list -m all | grep golang.org/x/text
golang.org/x/text v0.3.7 I'm ok with this change. @camilamacedo86 in go 1.17 the indirect's are listed in a separate block so this won't be an eyesore after bumping go versions, so we can merge this then bump in a separate PR. Thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approved
/lgtm
For me @rashmigottipati @estroz
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, pjbgf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Bump an indirect dependency to fix minor security advisory which was fixed a few months ago.
More information in the linked issue below.
Fixes #2437