Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update vulnerable go dependencies #938

Open
wants to merge 59 commits into
base: v3
Choose a base branch
from

Conversation

cheungaryk
Copy link
Contributor

@cheungaryk cheungaryk commented Dec 17, 2024

Hello, this is related to #936, Richard (that PR's submitter) and I work for the same organization.

We are trying to get vale to be approved for use in our organization. The security review found multiple vulnerabilities that need to be patched before approved. So I created this PR and also #937 .

This PR patched the vulns related to go. Most of them are pretty straight forward patch/minor upgrades, here are the more notable ones:

  • antonmedv/expr -> expr-lang/expr. The author renamed it, it's the same library
  • mholt/archiver/v3 -> archive/zip (go native). Per mholt the author, archiver is deprecated and he has moved the work to a newer library named archives, but in this PR I am using archive/zip instead for simplicity (and also archives doesn't pass our security scan 😓 ). Comes with slight code refactoring. Note that in order to resolve the "decompression bomb" lint warning, I imposed a 10GB file size limit. Please let me know if the file size is too large (or too small)
  • pterm -> downgrade from 0.12.76 to 0.12.40. The dependencies are different in both versions, but our security scan rejects the indirects above 0.12.40
  • godirwalk -> path/filepath (go native). Only the latest version, 1.7.0, is accepted by our security scan, but 1.7.0 reportedly has a bug (walk EOF error on Windows karrick/godirwalk#70) that is not being fixed or responded to. Also the author wrote this on the readme: "Depending on your specific circumstances, you might no longer need a library for file walking in Go.", linking to an article that seems to imply the go native filepath is now faster than godirwalk

All CI/CD test cases have passed, so hopefully this PR is acceptable.

Thank you!

@cheungaryk cheungaryk marked this pull request as ready for review December 18, 2024 22:10
@cheungaryk cheungaryk marked this pull request as draft December 24, 2024 18:31
@cheungaryk cheungaryk marked this pull request as ready for review December 25, 2024 00:38
@cheungaryk cheungaryk changed the title fix: update vulnerable go dependencies chore: update vulnerable go dependencies Dec 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant