Jacalz
commented
1 year ago The error does not seem to be the fault of this PR?
Closed Jacalz closed 1 year ago
Jacalz
commented
1 year ago The error does not seem to be the fault of this PR?
Jacalz
commented
1 year ago With Go 1.20 having been released today, I think updating to Go 1.17 as the lowest supported compiler version seems sensible.
Jacalz
commented
1 year ago I have added a few more module updates to get rid of security warnings from dependabot.
Jacalz
commented
1 year ago Managed to get the tests passing again. Seems like setup-go/v3 was broken.
psanford
commented
1 year ago I'm not particularly interested in updating packages simply for the sake of updating them without a concrete benefit.
Downstream packages that don't like the false positive security scanner alerts can set a newer version of those packages in their go.mod.
Jacalz
commented
1 year ago I provided an explanation for why I updated all three packages. There is no update for the sake of updating here...
The update of
klauspost/compressbrings in a bunch of smaller improvements to the performance and compression-ratio. It does raise the minimum Go version to Go 1.17 which has the benefit of now enabling lazy module module graph pruning and lazy module loading (basically less of the unused deps need to be downloaded).The update of
spf13/cobrameans that it usesgopkg.in/yaml.v3instead ofgopkg.in/yaml.v2, in turn fixing a security issue. This should avoid downstream projects using this project to get dependabot alerts from GitHub.The update of
golang.org/x/cryptofixes a security issue (although not one relevant to this project). However, the update here avoids downstream projects using this project to get dependabot alerts from GitHub.