search

onsi / gomega

Ginkgo's Preferred Matcher Library
http://onsi.github.io/gomega/
MIT License
2.16k stars 281 forks source link

Bump golang.org/x/net from 0.6.0 to 0.7.0 #640

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps golang.org/x/net from 0.6.0 to 0.7.0.

Commits
  • 8e2b117 http2/hpack: avoid quadratic complexity in hpack decoding
  • 547e7ed http2: avoid referencing ResponseWrite.Write parameter after returning
  • 39940ad html: parse comments per HTML spec
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
ellistarn commented 1 year ago

We do vuln checking in https://github.com/aws/karpenter-core, and have identified gomega as blocking. Can we get this released ASAP?

govulncheck ./pkg/...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.1 and govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 17 Feb 23 00:31 UTC).

Scanning your code and 894 packages across 88 dependent modules for known vulnerabilities...
Your code is affected by 1 vulnerability from 1 module.

Vulnerability #1: GO-2023-1571
  A maliciously crafted HTTP/2 stream could cause excessive CPU
  consumption in the HPACK decoder, sufficient to cause a denial
  of service from a small number of small requests.

  More info: https://pkg.go.dev/vuln/GO-2023-1571

  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.6.0
    Fixed in: golang.org/x/net@v0.7.0
onsi commented 1 year ago

I just shipped v1.27.1 with this dependency bumped.

There isn't a strong SLA around security patching Ginkgo and Gomega (both of which are OSS without any major backing). I'm happy to help when possible, of course - but I'd offer that if this software has become an important component of your organization's toolchain that a corporate sponsorship could be appropriate 😉

ellistarn commented 1 year ago

Thanks for the fix! Above my paygrade, but will forward this message 😅 .

onsi commented 1 year ago

Above my paygrade, but will forward this message

lol, indeed. i totally get it - but a forward would be appreciated 😀