Skip to content

Commit 313610d

Browse files
corneliusludmanncorneliusludmann
authored
Updating Go dependency: Docker and Git to fix CVE (#20689)
* Updating Go dependency: Docker and Git to fix CVE Tool: gitpod/catfood.gitpod.cloud * [image-builder-bob] Pin OpenTelemetry dependencies to compatible versions Tool: gitpod/catfood.gitpod.cloud
1 parent 7137833 commit 313610d

File tree

6 files changed

+77
-86
lines changed

6 files changed

+77
-86
lines changed

components/image-builder-bob/go.mod

+15-1
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ require (
3232
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
3333
github.com/containerd/typeurl/v2 v2.1.1 // indirect
3434
github.com/docker/distribution v2.8.2+incompatible // indirect
35-
github.com/docker/docker v24.0.0+incompatible // indirect
35+
github.com/docker/docker v28.0.2+incompatible // indirect
3636
github.com/docker/docker-credential-helpers v0.7.0 // indirect
3737
github.com/gitpod-io/gitpod/components/scrubber v0.0.0-00010101000000-000000000000 // indirect
3838
github.com/go-logr/logr v1.4.1 // indirect
@@ -52,6 +52,7 @@ require (
5252
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
5353
github.com/mitchellh/go-homedir v1.1.0 // indirect
5454
github.com/mitchellh/reflectwalk v1.0.2 // indirect
55+
github.com/moby/docker-image-spec v1.3.1 // indirect
5556
github.com/moby/locker v1.0.1 // indirect
5657
github.com/moby/patternmatcher v0.5.0 // indirect
5758
github.com/moby/sys/signal v0.7.0 // indirect
@@ -146,3 +147,16 @@ replace k8s.io/kubectl => k8s.io/kubectl v0.30.9 // leeway indirect from compone
146147
replace k8s.io/mount-utils => k8s.io/mount-utils v0.30.9 // leeway indirect from components/common-go:lib
147148

148149
replace k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.9 // leeway indirect from components/common-go:lib
150+
151+
// Pin OpenTelemetry dependencies to compatible versions
152+
replace go.opentelemetry.io/otel => go.opentelemetry.io/otel v1.21.0
153+
154+
replace go.opentelemetry.io/otel/metric => go.opentelemetry.io/otel/metric v1.21.0
155+
156+
replace go.opentelemetry.io/otel/trace => go.opentelemetry.io/otel/trace v1.21.0
157+
158+
replace go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.21.0
159+
160+
replace go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.0
161+
162+
replace go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0

components/image-builder-bob/go.sum

+8-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

components/image-builder-mk3/go.mod

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ require (
88
github.com/alecthomas/jsonschema v0.0.0-20210526225647-edb03dcab7bc
99
github.com/containerd/containerd v1.6.36
1010
github.com/docker/cli v25.0.1+incompatible
11-
github.com/docker/docker v25.0.1+incompatible
11+
github.com/docker/docker v28.0.2+incompatible
1212
github.com/docker/docker-credential-helpers v0.7.0 // indirect
1313
github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
1414
github.com/gitpod-io/gitpod/content-service/api v0.0.0-00010101000000-000000000000

components/image-builder-mk3/go.sum

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

components/local-app/go.mod

+13-17
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ require (
1111
github.com/gitpod-io/gitpod/local-app/api v0.0.0-00010101000000-000000000000
1212
github.com/gitpod-io/gitpod/supervisor/api v0.0.0-00010101000000-000000000000
1313
github.com/golang/mock v1.6.0
14-
github.com/google/go-cmp v0.6.0
14+
github.com/google/go-cmp v0.7.0
1515
github.com/google/uuid v1.3.0
1616
github.com/improbable-eng/grpc-web v0.14.0
1717
github.com/kevinburke/ssh_config v1.2.0
@@ -44,35 +44,31 @@ require (
4444

4545
require (
4646
dario.cat/mergo v1.0.0 // indirect
47-
github.com/Microsoft/go-winio v0.6.1 // indirect
48-
github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
49-
github.com/acomagu/bufpipe v1.0.4 // indirect
47+
github.com/Microsoft/go-winio v0.6.2 // indirect
48+
github.com/ProtonMail/go-crypto v1.1.5 // indirect
5049
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
5150
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
52-
github.com/cloudflare/circl v1.3.3 // indirect
53-
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
51+
github.com/cloudflare/circl v1.6.0 // indirect
52+
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
5453
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
5554
github.com/emirpasic/gods v1.18.1 // indirect
5655
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
57-
github.com/go-git/go-billy/v5 v5.5.0 // indirect
58-
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
56+
github.com/go-git/go-billy/v5 v5.6.2 // indirect
57+
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
5958
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
6059
github.com/json-iterator/go v1.1.12 // indirect
6160
github.com/kr/fs v0.1.0 // indirect
6261
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
63-
github.com/pjbgf/sha1cd v0.3.0 // indirect
62+
github.com/pjbgf/sha1cd v0.3.2 // indirect
6463
github.com/pkg/errors v0.9.1 // indirect
6564
github.com/pkg/sftp v1.13.5 // indirect
6665
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
6766
github.com/segmentio/backo-go v1.0.0 // indirect
68-
github.com/sergi/go-diff v1.1.0 // indirect
69-
github.com/skeema/knownhosts v1.2.0 // indirect
67+
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
68+
github.com/skeema/knownhosts v1.3.1 // indirect
7069
github.com/stretchr/objx v0.5.0 // indirect
7170
github.com/xanzy/ssh-agent v0.3.3 // indirect
7271
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
73-
golang.org/x/mod v0.17.0 // indirect
74-
golang.org/x/sync v0.12.0 // indirect
75-
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
7672
gopkg.in/warnings.v0 v0.1.2 // indirect
7773
)
7874

@@ -81,7 +77,7 @@ require (
8177
github.com/cenkalti/backoff/v4 v4.1.3 // indirect
8278
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
8379
github.com/danieljoos/wincred v1.1.0 // indirect
84-
github.com/go-git/go-git/v5 v5.10.0
80+
github.com/go-git/go-git/v5 v5.14.0
8581
github.com/godbus/dbus/v5 v5.0.3 // indirect
8682
github.com/golang/protobuf v1.5.4 // indirect
8783
github.com/gorilla/websocket v1.5.0 // indirect
@@ -95,8 +91,8 @@ require (
9591
github.com/sourcegraph/jsonrpc2 v0.0.0-20200429184054-15c2290dcb37 // indirect
9692
github.com/spf13/pflag v1.0.5
9793
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
98-
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
99-
golang.org/x/net v0.25.0 // indirect
94+
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
95+
golang.org/x/net v0.35.0 // indirect
10096
golang.org/x/sys v0.31.0 // indirect
10197
golang.org/x/text v0.23.0 // indirect
10298
google.golang.org/appengine v1.6.7 // indirect

0 commit comments

Comments
 (0)