Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: bump client-go from v0.24.2 to v0.25.0-alpha.2 #57

Merged
merged 2 commits into from
Jul 19, 2022
Merged

deps: bump client-go from v0.24.2 to v0.25.0-alpha.2 #57

merged 2 commits into from
Jul 19, 2022

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 15, 2022
edited
Loading

Description

k8s.io/client-go v0.24.x. contains github.com/emicklei/go-restful v2.9.5 with critical vulnerability CVE-2022-1996.
Bumped k8s.io/client-go to v0.25.0-alpha.2, until stable version v0.25.0 is released.

Related Issues:

@knqyf263
Copy link
Contributor

@DmitriyLewen Does v0.24.3 happen to fix it?
https://github.com/kubernetes/client-go/releases/tag/v0.24.3

@DmitriyLewen
Copy link
Contributor Author

no, i checked it.
v0.24.3 still uses github.com/emicklei/go-restful v2.9.5

@knqyf263
Copy link
Contributor

knqyf263 commented Jul 19, 2022
edited
Loading

@josedonizetti @chen-keinan Can you review it? I don't have permission in this repository.

@knqyf263 knqyf263 mentioned this pull request Jul 19, 2022
Closed
@chen-keinan
Copy link
Contributor

chen-keinan commented Jul 19, 2022
edited
Loading

@DmitriyLewen I think we can use replace in for go.mod file instead if getting v0.25.0-alpha.2 , wdyt ?

@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Jul 19, 2022
edited
Loading

hmm... i don't know which is better.
both options seem to work the same.
replace will remind you to update this version.
But I think dependabot should update this dependency when version v0.25.0 is released.

If you prefer to use replace - tell me, i will change PR.

@knqyf263
Copy link
Contributor

It is a direct dependency. We can update the version rather than the replace directive. @chen-keinan Do you have any advantages of replace in your mind?

@chen-keinan
Copy link
Contributor

chen-keinan commented Jul 19, 2022
edited
Loading

I'm ok also with both just prefer not to use alpha version. but fine with it if you do not want to use replace

@josedonizetti josedonizetti merged commit 79488fb into aquasecurity:main Jul 19, 2022
@DmitriyLewen DmitriyLewen deleted the deps/client-go branch July 20, 2022 03:49
@DmitriyLewen DmitriyLewen mentioned this pull request Jul 20, 2022
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chen-keinan chen-keinan chen-keinan approved these changes

@josedonizetti josedonizetti josedonizetti approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DmitriyLewen @knqyf263 @chen-keinan @josedonizetti