hashicorp / levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Mozilla Public License 2.0
829 stars 125 forks source link

build(deps): bump github.com/hashicorp/nomad from 1.6.2 to 1.6.7 #529

Open dependabot[bot] opened 9 months ago

dependabot[bot] commented 9 months ago

Bumps github.com/hashicorp/nomad from 1.6.2 to 1.6.7.

Release notes

Sourced from github.com/hashicorp/nomad's releases.

v1.6.7

1.6.7 (February 08, 2024)

SECURITY:

  • deps: Updated runc to 1.1.12 to address CVE-2024-21626 [GH-19851]
  • migration: Fixed a bug where archives used for migration were not checked for symlinks that escaped the allocation directory [GH-19887]
  • template: Fixed a bug where symlinks could force templates to read and write to arbitrary locations (CVE-2024-1329) [GH-19888]

v1.6.6

1.6.6 (January 15, 2024)

IMPROVEMENTS:

BUG FIXES:

  • acl: Fixed auth method hashing which meant changing some fields would be silently ignored [GH-19677]
  • auth: Added new optional OIDCDisableUserInfo setting for OIDC auth provider [GH-19566]
  • core: Ensure job HCL submission data is persisted and restored during the FSM snapshot process [GH-19605]
  • namespaces: Failed delete calls no longer return success codes [GH-19483]
  • server: Fix server not waiting for workers to submit nacks for dequeued evaluations before shutting down [GH-19560]
  • state: Fixed a bug where purged jobs would not get new deployments [GH-19609]

v1.6.5

1.6.5 (December 13, 2023)

BUG FIXES:

  • cli: Fix a bug in the var put command which prevented combining items as CLI arguments and other parameters as flags [GH-19423]
  • client: remove incomplete allocation entries from client state database during client restarts [GH-16638]
  • connect: Fixed a bug where deployments would not wait for Connect sidecar task health checks to pass [GH-19334]
  • consul: uses token namespace to fetch policies for verification [GH-18516]
  • csi: Added validation to csi_plugin blocks to prevent stage_publish_base_dir from being a subdirectory of mount_dir [GH-19441]
  • metrics: Revert upgrade of go-metrics to fix an issue where metrics from dependencies, such as raft, were no longer emitted [GH-19375]

v1.6.4

1.6.4 (December 07, 2023)

BREAKING CHANGES:

  • core: Honor job's namespace when checking distinct_hosts feasibility [GH-19004]

SECURITY:

  • build: Update to go1.21.4 to resolve Windows path validation CVE in Go [GH-19013]
  • build: Update to go1.21.5 to resolve Windows path validation CVE in Go [GH-19320]

IMPROVEMENTS:

... (truncated)

Changelog

Sourced from github.com/hashicorp/nomad's changelog.

1.6.7 (February 08, 2024)

SECURITY:

  • deps: Updated runc to 1.1.12 to address CVE-2024-21626 [GH-19851]
  • migration: Fixed a bug where archives used for migration were not checked for symlinks that escaped the allocation directory [GH-19887]
  • template: Fixed a bug where symlinks could force templates to read and write to arbitrary locations (CVE-2024-1329) [GH-19888]

1.6.6 (January 15, 2024)

IMPROVEMENTS:

BUG FIXES:

  • acl: Fixed auth method hashing which meant changing some fields would be silently ignored [GH-19677]
  • auth: Added new optional OIDCDisableUserInfo setting for OIDC auth provider [GH-19566]
  • core: Ensure job HCL submission data is persisted and restored during the FSM snapshot process [GH-19605]
  • namespaces: Failed delete calls no longer return success codes [GH-19483]
  • server: Fix server not waiting for workers to submit nacks for dequeued evaluations before shutting down [GH-19560]
  • state: Fixed a bug where purged jobs would not get new deployments [GH-19609]

1.6.5 (December 13, 2023)

BUG FIXES:

  • cli: Fix a bug in the var put command which prevented combining items as CLI arguments and other parameters as flags [GH-19423]
  • client: remove incomplete allocation entries from client state database during client restarts [GH-16638]
  • connect: Fixed a bug where deployments would not wait for Connect sidecar task health checks to pass [GH-19334]
  • consul: uses token namespace to fetch policies for verification [GH-18516]
  • csi: Added validation to csi_plugin blocks to prevent stage_publish_base_dir from being a subdirectory of mount_dir [GH-19441]
  • metrics: Revert upgrade of go-metrics to fix an issue where metrics from dependencies, such as raft, were no longer emitted [GH-19375]

1.6.4 (December 07, 2023)

BREAKING CHANGES:

  • core: Honor job's namespace when checking distinct_hosts feasibility [GH-19004]

SECURITY:

  • build: Update to go1.21.4 to resolve Windows path validation CVE in Go [GH-19013]
  • build: Update to go1.21.5 to resolve Windows path validation CVE in Go [GH-19320]

IMPROVEMENTS:

  • cli: Add file prediction for operator raft/snapshot commands [GH-18901]
  • ui: color-code node and server status cells [GH-18318]
  • ui: show plan output warnings alongside placement failures and dry-run info when running a job through the web ui [GH-19225]

... (truncated)

Commits
  • 84bcb73 Generate files for 1.6.7 release
  • 1940bdc template: sandbox template rendering
  • b3209cb migration: check symlink sources during archive unpack
  • 7dcdbf3 Backport of template: run template tests on Windows where possible into relea...
  • 77a8a9d Backport of deps: update dependencies indirectly bringing in older runc into ...
  • 06cf29e Backport of chore(deps): bump github.com/opencontainers/runc from 1.1.10 to 1...
  • 13d2d3f Prepare for next release
  • cfd44e0 Generate files for 1.6.6 release
  • c43d07f backport of commit d62280941d3530d6cd021d15d02d972e16f1b5a3 (#19741)
  • 8156ada chore(deps): bump github.com/prometheus/client_golang (#19733) (#19738)
  • Additional commits viewable in compare view


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hashicorp/levant/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.