Closed camillof closed 2 years ago
dep
was deprecated at the beginnings of 2020 - https://github.com/golang/dep#depNOTE: Dep was an official experiment to implement a package manager for Go. As of 2020, Dep is deprecated and archived in favor of Go modules, which have had official support since Go 1.11. For more details, see https://golang.org/ref/mod.
There is an open PR that introduces the use of go modules #492. It would be great if we could put this update in the queue. However, the snyk captures are really useful proving these changes resolve the vulnerability. But I'm not sure the tests for the mac-os build have actually run, can we confirm that ?
Congrats on your first PR 🎉
Nice catch, indeed, the tests for mac-os build weren't running for a long time. A PR to fix that was merged here #498 so I rebased this branch, and now they are running just fine
I agree on stop using Dep, are you ok with me creating a new task for this?? As this PR could unblock the user who requested this change, and we can continue working on that migration?
@camillof
As this PR could unblock the user who requested this change, and we can continue working on that migration?
sounds good 👍🏼
@camillof can you open one of these https://github.com/codeclimate/test-reporter/pull/489/files once you merge this one ?
@camillof can you open one of these https://github.com/codeclimate/test-reporter/pull/489/files once you merge this one ?
Thanks for the heads up! Here it is: https://github.com/codeclimate/test-reporter/pull/500
Context
As reported on #496 a golang crypto dependency has a vulnerability on the version used by the
test-reporter
: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-2825234Details
This PR updates the
golang.org/x/crypto
dependency from revision04eae0b62feaaf659a0ce2c4e8dc70b6ae2fff67
to revision630584e8d5aaa1472863b49679b2d5548d80dcba
.Gopkg.lock
diff can be large because of format change on newer versions ofdep
but most important change is here: https://github.com/codeclimate/test-reporter/compare/master...QUA-678/Fix-CC-reporter-go-crypto-vulnerability#diff-bbebd336cd92f353b3401e61be3cb9eb0267ea89704f556ce40c944cc5257e08R105Snyk inspect before:
Snyk inspect after:
Command run to update the dependency:
dep ensure -update golang.org/x/crypto
Closes #496