search

dapr / go-sdk

Dapr SDK for go
Apache License 2.0
446 stars 171 forks source link

fix(security): bump security vulnerabilities #582

Closed sicoyle closed 3 months ago

sicoyle commented 3 months ago

Description

Related to efforts to improve security vulnerabilities. Other efforts below that are related: https://github.com/dapr/dapr/pull/7681 https://github.com/dapr/components-contrib/pull/3390

Issue reference

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

codecov[bot] commented 3 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 64.20%. Comparing base (27248ba) to head (83c9622). Report is 14 commits behind head on main.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #582 +/- ## ========================================== + Coverage 58.04% 64.20% +6.16% ========================================== Files 55 52 -3 Lines 3568 3238 -330 ========================================== + Hits 2071 2079 +8 + Misses 1375 1038 -337 + Partials 122 121 -1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

sicoyle commented 3 months ago

Since this suppresses important deprecation notices - there definitely should be a follow-up issue created to migrate the way we create grpc client connections going forwards.

yes, I opened one on dapr/dapr, but will open a similar one here as well and everywhere else I made these updates 😁

mikeee commented 3 months ago

Since this suppresses important deprecation notices - there definitely should be a follow-up issue created to migrate the way we create grpc client connections going forwards.

yes, I opened one on dapr/dapr, but will open a similar one here as well and everywhere else I made these updates 😁

I appreciate snyk is unable to process this repo for one reason or another but have you noticed snyk not liking v1.64.0 as it has a dependency on x/net 0.22?

sicoyle commented 3 months ago

I appreciate snyk is unable to process this repo for one reason or another but have you noticed snyk not liking v1.64.0 as it has a dependency on x/net 0.22?

No, I have no insights to see why snyk fails tbh. It failed intermittently on my other security vulnerability bump PRs too. I can try v1.63.0 if you'd like and see if it likes that better or see if there is a version that will change the x/net dep

mikeee commented 3 months ago

I appreciate snyk is unable to process this repo for one reason or another but have you noticed snyk not liking v1.64.0 as it has a dependency on x/net 0.22?

No, I have no insights to see why snyk fails tbh. It failed intermittently on my other security vulnerability bump PRs too. I can try v1.63.0 if you'd like and see if it likes that better or see if there is a version that will change the x/net dep

I've raised it, I'm not going crazy thankfully. There was an issue updating x/net to v0.22< and I've been told a release is on the way. This looks good to merge and we should have a minor grpc bump at some point in the future 👍

marcduiker commented 1 month ago

@holopin-bot @sicoyle Thanks Sam!

holopin-bot[bot] commented 1 month ago

Congratulations @sicoyle, the maintainer of this repository has issued you a badge! Here it is: https://holopin.io/claim/clzvbao8b199510cjvilu5vmmt

This badge can only be claimed by you, so make sure that your GitHub account is linked to your Holopin account. You can manage those preferences here: https://holopin.io/account. Or if you're new to Holopin, you can simply sign up with GitHub, which will do the trick!