Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update k8s and x/net dependencies #1045

Merged
merged 2 commits into from
Jan 9, 2025
Merged

Update k8s and x/net dependencies #1045

merged 2 commits into from
Jan 9, 2025

Conversation

dholbach
Copy link
Member

No description provided.

@dholbach dholbach added the dependencies Pull requests that update a dependency file label Dec 19, 2024
ckotzbauer
ckotzbauer previously approved these changes Dec 19, 2024
View reviewed changes
@dholbach dholbach linked an issue Jan 9, 2025 that may be closed by this pull request
Vulnerability Name: Go (Go) Security Update for golang.org/x/net (GHSA-w32m-9786-jp63) #1049
Closed
@dholbach
Copy link
Member Author

dholbach commented Jan 9, 2025

Can somebody please review the Fossa (License compliance) problems indicated, so we can merge this and unblock the some other PRs with this as well?

@dholbach @evrardjp
update test infra as well
dd5a303 
Signed-off-by: Daniel Holbach <daniel.holbach@gmail.com>
@evrardjp evrardjp force-pushed the update branch 2 times, most recently from 5502b71 to 0bec002 Compare January 9, 2025 21:28
@evrardjp
Copy link
Collaborator

evrardjp commented Jan 9, 2025
edited
Loading

Seems like the golang.org/x/text version include translated text with CC license. I am now excluding the version.

Let's see if 0.20 is behaving the same way by having it fossa scanned.

@evrardjp evrardjp force-pushed the update branch 3 times, most recently from 0dc6ab1 to c37aeb8 Compare January 9, 2025 21:42
@evrardjp
Fix CVE-2024-45338 and bump k8s.
628a8ae 
Without this, we'll stay in k8s 0.29, and a vulnerable golang/net.
This contains other bumps, like bumps to golang.org/x/text, which is
flagged by FOSSA as CC licensed.

As these CC-licensed code snippets are used in other CNCF projects
(like kubernetes), this is fine to bump and will be excluded
in our license scans in the future.

Closes: kubereboot#1049
Signed-off-by: Jean-Philippe Evrard <open-source@a.spamming.party>
@evrardjp
Copy link
Collaborator

evrardjp commented Jan 9, 2025

Checked the history and other projects. Decided to accept the exclusion. Commit is now updated to reflect it.

@evrardjp evrardjp merged commit de77a0f into kubereboot:main Jan 9, 2025
19 of 20 checks passed
@dholbach dholbach deleted the update branch January 15, 2025 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evrardjp evrardjp evrardjp approved these changes

@ckotzbauer ckotzbauer ckotzbauer left review comments

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability Name: Go (Go) Security Update for golang.org/x/net (GHSA-w32m-9786-jp63)
3 participants
@dholbach @evrardjp @ckotzbauer