Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump google.golang.org/protobuf to 1.33.0 to fix CVE-2024-24786 #12846

Merged
merged 2 commits into from
Mar 31, 2024
Merged

fix(deps): bump google.golang.org/protobuf to 1.33.0 to fix CVE-2024-24786 #12846

merged 2 commits into from
Mar 31, 2024

Conversation

yulin-li
Copy link
Contributor

@yulin-li yulin-li commented Mar 26, 2024
edited
Loading

GHSA-8r3f-844c-mc37

Fixes #TODO

Motivation

Modifications

  • also bump github.com/golang/protobuf to 1.5.4 to make the build pass

Verification

@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies labels Mar 26, 2024
agilgur5
agilgur5 reviewed Mar 26, 2024
View reviewed changes
Copy link
Contributor

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating this. There seems to be an import error causing CI to fail. Other deps or codegen might need to be updated?

@agilgur5 agilgur5 added the go Pull requests that update Go dependencies label Mar 26, 2024
@yulin-li
Copy link
Contributor Author

Thanks for updating this. There seems to be an import error causing CI to fail. Other deps or codegen might need to be updated?

github.com/golang/protobuf needs to be updated too.

my question is, why dependabot didn't do this for us?

@yulin-li
Copy link
Contributor Author

the changes were made in #12847 closing this now

@yulin-li yulin-li closed this Mar 28, 2024
@agilgur5
Copy link
Contributor

agilgur5 commented Mar 28, 2024
edited
Loading

my question is, why dependabot didn't do this for us?

Dependabot alerts seem to not be enabled, see #12763 (comment) for more info. I don't have permissions to rectify that unfortunately.

the changes were made in #12847 closing this now

Ah, thanks anyway! We may want to re-open this as a backport if #12847 does not get backported (since that could be considered a breaking change; I'm not sure what the historical policy has been on k8s upgrades in patches)

@agilgur5
Copy link
Contributor

We may want to re-open this as a backport if #12847 does not get backported (since that could be considered a breaking change; I'm not sure what the historical policy has been on k8s upgrades in patches)

Could you re-open this PR and change the base branch to release-3.5? That would backport this 3.5.x

@yulin-li yulin-li reopened this Mar 31, 2024
@yulin-li yulin-li changed the base branch from main to release-3.5 March 31, 2024 11:38
@yulin-li
Copy link
Contributor Author

yulin-li commented Mar 31, 2024
edited by agilgur5
Loading

Could you re-open this PR and change the base branch to release-3.5? That would backport this 3.5.x

updated

agilgur5
agilgur5 approved these changes Mar 31, 2024
View reviewed changes
Copy link
Contributor

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update and backport!

@agilgur5 agilgur5 merged commit 1f39d32 into argoproj:release-3.5 Mar 31, 2024
5 checks passed
@agilgur5 agilgur5 added this to the v3.5.x patches milestone Apr 3, 2024
@agilgur5 agilgur5 added the type/backport Backport of an existing PR to an older release branch label Apr 9, 2024
@agilgur5 agilgur5 changed the title chore(deps): bump google.golang.org/protobuf to 1.33.0 to fix CVE-2024-24786 fix(deps): bump google.golang.org/protobuf to 1.33.0 to fix CVE-2024-24786 Apr 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agilgur5 agilgur5 agilgur5 approved these changes

@blkperl blkperl blkperl approved these changes

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan

@sarabala1979 sarabala1979 Awaiting requested review from sarabala1979

Assignees
No one assigned
Labels
go Pull requests that update Go dependencies type/backport Backport of an existing PR to an older release branch type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.
3 participants
@yulin-li @agilgur5 @blkperl