Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove 'replace' directive #8

Merged
merged 1 commit into from Dec 20, 2021
Merged

remove 'replace' directive #8

merged 1 commit into from Dec 20, 2021

Conversation

kuritka
Copy link
Contributor

@kuritka kuritka commented Dec 17, 2021
edited

I removed the critical CVEs, but there is still one minor CVE with the old miekg module. The problem is that go install won't work if I use exclude or replace directive.
see: golang/go#40276

I briefly tested this against k8gb and working as expected

Signed-off-by: kuritka kuritka@gmail.com

@kuritka
remove 'replace' directive
b2aa04f 
I removed the critical CVEs, but there is still one minor CVE with the old miekg module.
The problem is that `go install` won't work if I use `exclude` or `replace` directive.
Error looks like:
```
        The go.mod file for the module providing named packages contains one or
        more replace directives. It must not contain directives that would cause
        it to be interpreted differently than if it were the main module.
```

Signed-off-by: kuritka <kuritka@gmail.com>
@kuritka
Copy link
Contributor Author

kuritka commented Dec 20, 2021
edited

Regarding Cobra RELEASE

Now using Viper v1.10.0
There is a known CVE in an indirect dependency from viper: #1538. This will be patched in a future release

The Miekg CVE will be fixed with upcomming Cobra release.

@kuritka kuritka merged commit 7f7cb48 into main Dec 20, 2021
@ytsarev
Copy link

ytsarev commented Dec 20, 2021

@kuritka why do we need dns package in golic?

@kuritka
Copy link
Contributor Author

kuritka commented Dec 20, 2021
edited

@ytsarev.The DNS package is included in Viper package which is included in Cobra. That's why CVE occurs. GoLic doesn't work at all with DNS or Viper, on the other hand we use COBRa.

The problem is I can't use go install when replace or exclude directive is used in go.mod. That's why I keep not too important CVE. From the cobra release notes it seems that CVE will be patched.

@ytsarev
Copy link

ytsarev commented Dec 20, 2021

@kuritka got it, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donovanmuller donovanmuller Awaiting requested review from donovanmuller

@ytsarev ytsarev Awaiting requested review from ytsarev

@jkremser jkremser Awaiting requested review from jkremser

@k0da k0da Awaiting requested review from k0da

@somaritane somaritane Awaiting requested review from somaritane

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kuritka @ytsarev