Don't use yaml.v2 2.3.0 which has a breaking change #1259
Conversation
yaml.v2 contains a breaking change from go-yaml/yaml#571 yaml.v2 2.2.8 does not have that change and also addresses the CVE that was behind the move to yaml.v2 2.3.0. This commit reverts to using yaml.v2 2.2.8 Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
marckhouzam
force-pushed
the
fix/revertyaml
branch
from
2d716bc
to
579d8fc
Compare
|
@eparis may have an opinion on this. |
|
Can |
Sure, that's what they are doing now. It's just that the 1.1 release isn't that useful if multiple projects can't use it. So really, this discussion is about trying to get Cobra improvements in the hands of users. |
|
My only point is that, depending on the reponsiveness of yaml.v2 maintainers, it might be less disruptive to wait until their next release, and then bump cobra. Was it reported in go-yaml already? I didn't find any reference in the linked issues. |
|
Someone from kubectl was supposed to reach out to them. Should be happening soon. |
|
would it be possible to do a new release with this PR and #1255 (which fixes packaging |
|
I will work on resolving this today. I think what we should do is cut a quick patch release and deprecate the version of Yaml to what kubectl and helm need. Question: @marckhouzam was this an unintended breaking change? Otherwise, I would have expected to see a yaml 3.x version denoting the breaking change. |
|
@jpmcb Thank you for jumping on this!
From what I understand, the fact that it was a breaking change was overlooked. |
|
I see - thanks much for the quick response.
That is unfortunate. We will go ahead and call this a bug in 1.1.x and fix it in 1.1.1 shortly. While I have you @marckhouzam any other bug fixes that should get into this release I'm about to cut? |
For a 1.1.1 release, I believe the two PRs you just merged (this one and the manpages one) seem to be it. |
cobra 1.1.0 inadvertently included a breaking YAML change affecting kubectl and helm. See spf13/cobra#1259 for details. Signed-off-by: Tom Payne <tom@isovalent.com>
cobra 1.1.0 inadvertently included a breaking YAML change affecting kubectl and helm. See spf13/cobra#1259 for details. Signed-off-by: Tom Payne <tom@isovalent.com>
Thanks! It's very appreciated! |
Version 2.3.0 changes the default line wrapping from 80 characters to none. This potentially breaks Kubernetes and Helm. See spf13/cobra#1259 for discussion. Signed-off-by: Tom Payne <tom@isovalent.com>
gopkg.in/yaml.v2 version 2.3.0 changes the default line wrapping from 80 characters to none. This potentially breaks Kubernetes and Helm. See spf13/cobra#1259 for discussion. Signed-off-by: Tom Payne <tom@isovalent.com>
gopkg.in/yaml.v2 version 2.3.0 changes the default line wrapping from 80 characters to none. This potentially breaks Kubernetes and Helm. See spf13/cobra#1259 for discussion. Signed-off-by: Tom Payne <tom@isovalent.com>
This is to start a discussion to see what would be the best way forward.
PR #1153 moved Cobra to yaml.v2 2.3.0
This change has introduced a breaking change which is preventing
kubectlandhelmfrom using Cobra 1.1 (and probably others). See kubernetes/kubernetes#95571 and helm/helm#8890 (comment)The breaking change has to do with line wrapping and was introduced by go-yaml/yaml#571
The reason behind Cobra upgrading to yaml.v2 2.3.0 was to address a CVE reported by Kubernetes in kubernetes/kubernetes#89535. However the fix for Kubernetes was to move to yaml.v2 2.2.8 as seen in kubernetes/kubernetes#87467. yaml.v2 2.2.8 does not contain the breaking change.
Therefore, Cobra could instead use yaml.v2 2.2.8 and avoid bringing in the breaking change of 2.3.0. This PR makes the suggested change.
This would require doing an quick release of Cobra to address the current problem.
What are the maintainers thoughts on this?
@jharshman @jpmcb @wfernandes
The longer term solution will need to be addressed by the yaml.v2 project.