Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update a number of dependencies (incl. CVE fixes) #4107

Merged
merged 10 commits into from
Oct 26, 2023
Merged

Update a number of dependencies (incl. CVE fixes) #4107

merged 10 commits into from
Oct 26, 2023

Conversation

its-josh4
Copy link
Contributor

@its-josh4 its-josh4 commented Sep 11, 2023
edited by WithoutPants
Loading

Includes some dependencies that were upgraded in #4106 as well as a few more dependencies.

Some deps that have been upgraded had CVEs.

Notably, upgrades deprecated dependencies such as:

  • github.com/go-chi/chi (replaced with /v5)
  • github.com/gofrs/uuid (replaced with /v5)
  • github.com/hashicorp/golang-lru (replaced with /v2 which uses generics)

Fixes #3733

@its-josh4
Update a number of dependencies (incl. CVE fixes)
cbc8115 
Includes some dependencies that were upgraded in stashapp#4106 as well as a few more dependencies.

Some deps that have been upgraded had CVEs.

Notably, upgrades deprecated dependencies such as:
- `github.com/go-chi/chi` (replaced with `/v5`)
- `github.com/gofrs/uuid` (replaced with `/v5`)
- `github.com/hashicorp/golang-lru` (replaced with `/v2` which uses generics)
@its-josh4
Upgraded a few more deps
be12104
@its-josh4
lint
09f8415
@its-josh4
Merge branch 'develop' of https://github.com/stashapp/stash into upda…
45775f7 
…te-deps
@DingDongSoLong4 DingDongSoLong4 mentioned this pull request Sep 15, 2023
Merged
@DingDongSoLong4
Copy link
Collaborator

DingDongSoLong4 commented Sep 23, 2023
edited
Loading

I'm running into a few issues with the yaml upgrade.

If you clone the CommunityScrapers repo and set your scraper path to that, you'll get a "did not find expected key" error for both the Babepedia.yml and Hotmovies.yml scrapers. I've managed to figure out what was causing the message: the parser seems to be choking on a string input of "\n\n{other chars}" (not "\n\n", it deals with that fine). The problematic lines are here in Babepedia.yml and here in Hotmovies.yml. If you get rid of the \n characters on those lines, the error goes away.

There are a couple issues on the https://github.com/go-yaml/yaml repo relating to newline issues, and many of them are quite old. I have a feeling we're going to have to fix the bug ourselves, or find a non-broken version to use.

@its-josh4
Copy link
Contributor Author

I can downgrade the YAML library

@DingDongSoLong4
Copy link
Collaborator

@its-josh4 I think that's the best option for now yes. v2.4.0 seems to be the latest version that doesn't have this issue, and it is the version we were on previously as well.

@DingDongSoLong4
Copy link
Collaborator

@its-josh4 I believe the last line in go.mod (replace git.apache.org/thrift.git ...) can be removed - it doesn't appear to be doing anything anymore.

@its-josh4
Copy link
Contributor Author

@DingDongSoLong4 updated as you requested. Reverted the YAML library to v2, and removed the unnecessary replacement in go.mod (also fixed merge conflicts)

@DingDongSoLong4 DingDongSoLong4 mentioned this pull request Oct 8, 2023
Closed
@WithoutPants WithoutPants added this to the Version 0.24.0 milestone Oct 16, 2023
@WithoutPants WithoutPants added the chore Pull requests for refactoring and admin work label Oct 16, 2023
@DingDongSoLong4
Copy link
Collaborator

DingDongSoLong4 commented Oct 22, 2023
edited
Loading

@its-josh4 If you wouldn't mind, can you also upgrade vearutop/statigz to 1.4.0? I've had this upgrade on my local branch adding brotli compression for ages with no issues. It shouldn't require any code changes.

@its-josh4
Copy link
Contributor Author

@its-josh4 If you wouldn't mind, can you also upgrade vearutop/statigz to 1.4.0? I've had this upgrade on my local branch adding brotli compression for ages with no issues. It shouldn't require any code changes.

Done. Maybe this PR could be merged and other deps can be updated separately?

@DingDongSoLong4 DingDongSoLong4 mentioned this pull request Oct 23, 2023
Merged
@WithoutPants WithoutPants merged commit 2b8c253 into stashapp:develop Oct 26, 2023
2 checks passed
halkeye pushed a commit to halkeye/stash that referenced this pull request Sep 1, 2024
@its-josh4 @halkeye
Update a number of dependencies (incl. CVE fixes) (stashapp#4107)
13f40b3 
* Update a number of dependencies (incl. CVE fixes)

Includes some dependencies that were upgraded in stashapp#4106 as well as a few more dependencies.

Some deps that have been upgraded had CVEs.

Notably, upgrades deprecated dependencies such as:
- `github.com/go-chi/chi` (replaced with `/v5`)
- `github.com/gofrs/uuid` (replaced with `/v5`)
- `github.com/hashicorp/golang-lru` (replaced with `/v2` which uses generics)

* Upgraded a few more deps

* lint

* reverted yaml library to v2

* remove unnecessary mod replace

* Update chromedp

Fixes stashapp#3733
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
chore Pull requests for refactoring and admin work
Projects
None yet
Milestone
Version 0.24.0
3 participants
@its-josh4 @DingDongSoLong4 @WithoutPants