Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump the go-minor group across 1 directory with 6 updates #3260

Merged
merged 1 commit into from
Jan 13, 2025
Merged

chore(deps): bump the go-minor group across 1 directory with 6 updates #3260

merged 1 commit into from
Jan 13, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 13, 2025

Bumps the go-minor group with 6 updates in the / directory:

Package From To
connectrpc.com/connect 1.17.0 1.18.1
github.com/cyphar/filepath-securejoin 0.3.6 0.4.0
gitlab.com/gitlab-org/api/client-go 0.118.0 0.119.0
golang.org/x/crypto 0.31.0 0.32.0
golang.org/x/net 0.33.0 0.34.0
google.golang.org/api 0.214.0 0.216.0

Updates connectrpc.com/connect from 1.17.0 to 1.18.1

Release notes

Sourced from connectrpc.com/connect's releases.

v1.18.1

What's Changed

Bugfixes

Full Changelog: connectrpc/connect-go@v1.18.0...v1.18.1

v1.18.0

What's Changed

Enhancements

Other changes

New Contributors

Full Changelog: connectrpc/connect-go@v1.17.0...v1.18.0

Commits
  • 46c8b00 Prepare for v1.18.1 (#809)
  • 044befe Fix protoc-gen-go schema variable case handling (#808)
  • 867dac8 Back to development (#806)
  • 8c52642 Prepare for v1.18.0 (#805)
  • 29d45c4 Add same_package option to protoc-gen-connect-go (#803)
  • d55ebd8 Make stream client closers non-blocking (#791)
  • 7dc3e6d Bump github.com/quic-go/quic-go from 0.46.0 to 0.48.2 in /internal/conformanc...
  • 74a6754 Remove reader allocation for compressors pools (#792)
  • 6029bf7 Fix spelling of "optimize" in comment (#786)
  • 145b279 Bump connectrpc.com/conformance from 1.0.3 to 1.0.4 in /internal/conformance ...
  • Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.4.0

This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse.

  • SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

    While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

    All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

    Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

  • MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

    However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

Thanks to the following contributors for helping make this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.4.0] - 2025-01-13

Breaking

  • SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

    While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

    All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

    Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

  • MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

    However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

Commits
  • 9a17e6b VERSION: release v0.4.0
  • e410d4a merge #44 into cyphar/filepath-securejoin:main
  • ea4e5b6 gha: add GOARCH=386 build check
  • 0c2fbe6 mkdirall: switch to os.FileMode argument
  • f3a512c merge #43 into cyphar/filepath-securejoin:main
  • bc750ad join: return an error if root is unclean path
  • 1be4136 gha: always check for latest Go release
  • b498783 merge #38 into cyphar/filepath-securejoin:main
  • 682d3ad VERSION: back to development
  • See full diff in compare view

Updates gitlab.com/gitlab-org/api/client-go from 0.118.0 to 0.119.0

Release notes

Sourced from gitlab.com/gitlab-org/api/client-go's releases.

v0.119.0

0.119.0 (2025-01-07)

No changes.

Commits
  • eaef23a Merge branch 'remove-minor-version' into 'main'
  • bdba318 Remove patch version from go mod
  • 2b8530e Merge branch 'feature/mergerequest-dependencies' into 'main'
  • ea7c9b1 added the api-calls for adding mergerequest dependencies to existing mergereq...
  • 77169c7 Merge branch 'renovate/golangci-golangci-lint-1.x' into 'main'
  • 3a177cd Merge branch 'renovate/golang.org-x-time-0.x' into 'main'
  • bc322b3 Update golangci/golangci-lint Docker tag to v1.63.4
  • f19b512 Merge branch 'renovate/golangci-golangci-lint-1.x' into 'main'
  • f8973f2 Update golangci/golangci-lint Docker tag to v1.63.3
  • 05a060b Merge branch 'fix/list-project-issues-options' into 'main'
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.31.0 to 0.32.0

Commits
  • 8929309 go.mod: update golang.org/x dependencies
  • 4a75ba5 all: make function and struct comments match the names
  • See full diff in compare view

Updates golang.org/x/net from 0.33.0 to 0.34.0

Commits
  • 8da7ed1 go.mod: update golang.org/x dependencies
  • 2124140 all: make function and struct comments match the names
  • e9d95ba http2: do not surface errors from a conn's idle timer expiring
  • c2be992 quic: remember which remote connection IDs have been retired
  • See full diff in compare view

Updates google.golang.org/api from 0.214.0 to 0.216.0

Release notes

Sourced from google.golang.org/api's releases.

v0.216.0

0.216.0 (2025-01-09)

Features

v0.215.0

0.215.0 (2025-01-01)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.216.0 (2025-01-09)

Features

0.215.0 (2025-01-01)

Features

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the go-minor group across 1 directory with 6 updates
aea9091 
Bumps the go-minor group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [connectrpc.com/connect](https://github.com/connectrpc/connect-go) | `1.17.0` | `1.18.1` |
| [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) | `0.3.6` | `0.4.0` |
| [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.118.0` | `0.119.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.31.0` | `0.32.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.33.0` | `0.34.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.214.0` | `0.216.0` |



Updates `connectrpc.com/connect` from 1.17.0 to 1.18.1
- [Release notes](https://github.com/connectrpc/connect-go/releases)
- [Changelog](https://github.com/connectrpc/connect-go/blob/main/RELEASE.md)
- [Commits](connectrpc/connect-go@v1.17.0...v1.18.1)

Updates `github.com/cyphar/filepath-securejoin` from 0.3.6 to 0.4.0
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](cyphar/filepath-securejoin@v0.3.6...v0.4.0)

Updates `gitlab.com/gitlab-org/api/client-go` from 0.118.0 to 0.119.0
- [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags)
- [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.118.0...v0.119.0)

Updates `golang.org/x/crypto` from 0.31.0 to 0.32.0
- [Commits](golang/crypto@v0.31.0...v0.32.0)

Updates `golang.org/x/net` from 0.33.0 to 0.34.0
- [Commits](golang/net@v0.33.0...v0.34.0)

Updates `google.golang.org/api` from 0.214.0 to 0.216.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.214.0...v0.216.0)

---
updated-dependencies:
- dependency-name: connectrpc.com/connect
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
- dependency-name: gitlab.com/gitlab-org/api/client-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner January 13, 2025 12:26
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 13, 2025
@netlify Netlify
Copy link

netlify bot commented Jan 13, 2025
edited
Loading

Deploy Preview for docs-kargo-io ready!

Name Link
🔨 Latest commit aea9091
🔍 Latest deploy log https://app.netlify.com/sites/docs-kargo-io/deploys/6785069351aaf000085de8d4
😎 Deploy Preview https://deploy-preview-3260.docs.kargo.io
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@hiddeco hiddeco self-assigned this Jan 13, 2025
@hiddeco hiddeco added this to the v1.2.0 milestone Jan 13, 2025
@hiddeco hiddeco added this pull request to the merge queue Jan 13, 2025
Merged via the queue into main with commit c1a3cf9 Jan 13, 2025
19 checks passed
@hiddeco hiddeco deleted the dependabot/go_modules/go-minor-6162718165 branch January 13, 2025 12:53
github-actions bot pushed a commit that referenced this pull request Jan 13, 2025
@dependabot @github-actions
chore(deps): bump the go-minor group across 1 directory with 6 updates (
3f3e52d 
#3260)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit c1a3cf9)
@akuitybot akuitybot mentioned this pull request Jan 13, 2025
Merged
@akuitybot
Copy link

Successfully created backport PR for release-1.2:

fykaa pushed a commit to fykaa/kargo that referenced this pull request Jan 16, 2025
@dependabot @fykaa
chore(deps): bump the go-minor group across 1 directory with 6 updates (
b6be023 
akuity#3260)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

Assignees

@hiddeco hiddeco

Labels
backport/release-1.2 dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@akuitybot @hiddeco @krancour