Closed dependabot[bot] closed 1 month ago
By using pnpm-lock.json from https://github.com/bastienwirtz/homer/blob/e23868c5940e805a259d7836190923b1ee6efbfa/pnpm-lock.yaml, stack overflow was caused:
[Jun 7 11:54:22] INFO [pnpm-v9] Scanning listen port...
[Jun 7 11:54:22] INFO [pnpm-v9] Using Port Scanner: Vuls built-in Scanner
[Jun 7 11:54:22] INFO [pnpm-v9] Scanning Language-specific Packages...
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc02368e5f8 stack=[0xc02368e000, 0xc04368e000]
fatal error: stack overflow
runtime stack:
runtime.throw({0x3b21e25?, 0x200000001?})
/home/shino/sdk/go1.22.3/src/runtime/panic.go:1023 +0x5c fp=0x7fff4345fda8 sp=0x7fff4345fd78 pc=0x43e43c
runtime.newstack()
/home/shino/sdk/go1.22.3/src/runtime/stack.go:1103 +0x5bd fp=0x7fff4345ff58 sp=0x7fff4345fda8 pc=0x459bfd
runtime.morestack()
/home/shino/sdk/go1.22.3/src/runtime/asm_amd64.s:616 +0x7a fp=0x7fff4345ff60 sp=0x7fff4345ff58 pc=0x4728da
goroutine 72 gp=0xc000e97c00 m=0 mp=0x6dbfe00 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc00247de90, 0x22}, 0xc04368d7e8, 0xc04368d6e8)
/home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:222 +0x1fc fp=0xc02368e608 sp=0xc02368e600 pc=0x27e33bc
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc0008977d0, 0x13}, 0xc04368d7e8, 0xc04368d6e8)
/home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368e9d8 sp=0xc02368e608 pc=0x27e337c
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc002598348, 0x14}, 0xc04368d7e8, 0xc04368d6e8)
/home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368eda8 sp=0xc02368e9d8 pc=0x27e337c
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc0025bc100, 0x19}, 0xc04368d7e8, 0xc04368d6e8)
/home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368f178 sp=0xc02368eda8 pc=0x27e337c
[snip]
This has been fixed at main branch probably by https://github.com/aquasecurity/trivy/pull/6857
Commit graph after v0.52.0 is as follow at this point
e8d8af450 (HEAD -> refs/heads/main, refs/remotes/origin/main, refs/remotes/origin/HEAD) chore: auto label discussions (#5259)
| * 25e89c8af (refs/remotes/origin/release-please--branches--main) release: v0.53.0 [main]
|/
* 63eb85a06 docs: explain how VEX is applied (#6864)
* 1e2db83e4 ci: automate backporting process (#6781)
* d4aea2788 ci: create release branch (#6859)
* faa9d92cf fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
* 7d083bc89 fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857) ### <===== FIXED
* 042d6b08c feat(dart): use first version of constraint for dependencies using SDK version (#6239)
* 8141a137b fix(misconf): parsing numbers without fraction as int (#6834)
* 0bcfedbca fix(misconf): fix caching of modules in subdirectories (#6814)
* 02d540478 feat(misconf): add metadata to Cloud schema (#6831)
* 8dd076a76 chore(deps): bump the aws group across 1 directory with 7 updates (#6837)
* bab16b88a chore(deps): bump the common group with 5 updates (#6842)
* b7b8cdc9e test: replace embedded Git repository with dynamically created repository (#6824)
* c24dfbab6 (tag: refs/tags/v0.52.0, refs/remotes/origin/release/v0.52) release: v0.52.0 [main] (#6809)
@MaineK00n How about skipping this version?
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore
condition with the desired update_types
to your config file.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps github.com/aquasecurity/trivy from 0.51.4 to 0.52.0.
Release notes
Sourced from github.com/aquasecurity/trivy's releases.
Changelog
Sourced from github.com/aquasecurity/trivy's changelog.
Commits
c24dfba
release: v0.52.0 [main] (#6809)728e77a
fix(plugin): initialize logger (#6836)83fc6e7
chore(deps): bump alpine from 3.19.1 to 3.20.0 in the docker group (#6835)c2b9132
fix(cli): always output fatal errors to stderr (#6827)aa0c413
fix: close testfile (#6830)1c49ae9
docs(julia): add scanner table (#6826)29615be
feat(python): add license support forrequirement.txt
files (#6782)2f05418
docs: add more workarounds for out-of-disk (#6821)5b0bc58
chore: improve error message for image not found (#6822)f92ea09
fix(sbom): fix panic forconvert
mode when scanning json file derived from ...Most Recent Ignore Conditions Applied to This Pull Request
| Dependency Name | Ignore Conditions | | --- | --- | | github.com/aquasecurity/trivy | [>= 0.50.2.a, < 0.50.3] | | github.com/aquasecurity/trivy | [< 0.51, > 0.50.1] |Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show