dmathieu
commented
1 month ago We do force specific versions on them then. Old ones.
Closed dmathieu closed 1 month ago
dmathieu
commented
1 month ago We do force specific versions on them then. Old ones.
kruskall
commented
1 month ago We do force specific versions on them then. Old ones.
Nope, because they have a choice to use the version provided by the go agent (the minimum version supported by the agent) or pin to a new version :slightly_smiling_face:
The argument when this was made was that the go agent would try to support as many versions as possible and only update if we want to increase the minimum supported version for security (see https://github.com/elastic/apm-agent-go/security/dependabot?q=is%3Aclosed)
dmathieu
commented
1 month ago All right, I'll close this.
For the record, this means all the warnings in snyk need to be ignored. https://app.snyk.io/org/universal-profiler/reporting?context[page]=issues-detail&project_target=%255B%2522elastic%252Fapm-agent-go%2522%255D&project_origin=%255B%2522github%2522%255D&issue_status=%255B%2522Open%2522%255D&issue_by=Severity&table_issues_detail_cols=SEVERITY%257CSCORE%257CCVE%257CCWE%257CPROJECT%257CEXPLOIT%2520MATURITY%257CCOMPUTED%2520FIXABILITY%257CINTRODUCED%257CSNYK%2520PRODUCT&v=1
This is meant to allow upgrading module dependencies (which dependabot doesn't currently look at), while switching to the tool that Platform Engineering recommends using.