search

xmidt-org / themis

This is a JWT Issuer for the Xmidt service
Apache License 2.0
4 stars 10 forks source link

feat(deps): bump github.com/spf13/viper from 1.18.1 to 1.18.2 #195

Closed dependabot[bot] closed 8 months ago

dependabot[bot] commented 8 months ago

Bumps github.com/spf13/viper from 1.18.1 to 1.18.2.

Release notes

Sourced from github.com/spf13/viper's releases.

v1.18.2

tl;dr Skip 1.18.0 and 1.18.1 and upgrade to this version instead.

This release fixes a regression that appears in rare circumstances when using Unmarshal or UnmarshalExact to decode values onto pointers with multiple indirection (eg. pointer to a pointer, etc). The change was introduced in 1.18.0 as a means to resolve a long-standing bug when decoding environment variables to structs.

The feature is now disabled by default and can be enabled using the viper_bind_struct build tag. It's also considered experimental at this point, so breaking changes may be introduced in the future.

What's Changed

Bug Fixes 🐛

Full Changelog: https://github.com/spf13/viper/compare/v1.18.1...v1.18.2

Commits
  • ab3a50c fix!: hide struct binding behind a feature flag
  • 9154b90 build(deps): bump actions/setup-go from 4.1.0 to 5.0.0
  • 08e4a00 build(deps): bump github/codeql-action from 2.22.8 to 2.22.9
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
guardrails[bot] commented 8 months ago

:warning: We detected 1 security issue in this pull request:

Vulnerable Libraries (1)
Severity | Details :-: | :-- High | [pkg:golang/github.com/spf13/viper@v1.18.2](https://github.com/xmidt-org/themis/blob/343ef6ec7efb2fcfbda55d76426375a5b46fba46/go.mod#L15) upgrade to: *> v1.18.2* More info on how to fix Vulnerable Libraries in [Go](https://docs.guardrails.io/docs/en/vulnerabilities/go/using_vulnerable_libraries.html?utm_source=ghpr).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.