Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump go-api version to fix protojson vuln #1333

Merged
merged 1 commit into from
Jan 8, 2024
Merged

Conversation

tdeebswihart
Copy link
Contributor

What was changed

I bumped the version of api-go

Why?

To fix the protojson DOS vulns recently patched in the upstream golang/protobuf. See temporalio/api-go#143 for details

@tdeebswihart tdeebswihart requested a review from a team as a code owner January 3, 2024 19:16
@@ -10,12 +10,12 @@ require (
github.com/pborman/uuid v1.2.1
github.com/robfig/cron v1.2.0
github.com/stretchr/testify v1.8.4
go.temporal.io/api v1.26.1
go.temporal.io/api v1.26.1-0.20240103185939-608bdd111e4b
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can we make sure we don't release the SDK with an untagged API version?

Copy link
Contributor Author

@tdeebswihart tdeebswihart Jan 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to cut a release of api-go if we're ok with releasing all of temporalio/api-go@v1.26.2...master

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cretz we can't cut a release of api-go because we haven't released the gogoproto changes into the wild.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I just want to make sure we remember to tag this before next SDK release

@tdeebswihart tdeebswihart requested review from cretz and a team January 3, 2024 19:46
@cretz
Copy link
Member

cretz commented Jan 5, 2024

Would rather have @Quinn-With-Two-Ns's approval here over my own. He may prefer not to merge this at this time.

@tdeebswihart tdeebswihart enabled auto-merge (squash) January 8, 2024 17:45
@tdeebswihart tdeebswihart merged commit c1744ee into master Jan 8, 2024
13 checks passed
@tdeebswihart tdeebswihart deleted the tds/update-go-api branch January 8, 2024 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants