Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[1.1 backport] vendor: google.golang.org/protobuf 1.33.0 #4361

Merged
merged 8 commits into from
Aug 1, 2024
Merged

[1.1 backport] vendor: google.golang.org/protobuf 1.33.0 #4361

merged 8 commits into from
Aug 1, 2024

Conversation

austinvazquez
Copy link
Contributor

@austinvazquez austinvazquez commented Jul 29, 2024
edited
Loading

dependabot bot added 8 commits July 29, 2024 22:34
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
88f54b2 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 82bc042)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
19c47f6 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 450dd3e)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2a9acb9 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 6b41f8e)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
81461ed 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a7046b8)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
3b5bf8f 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 8f0d0c4)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
ac5fc48 
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a57d94d)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
31f2944 
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 43306be)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
1f58704 
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 7ab66b1)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@austinvazquez austinvazquez marked this pull request as ready for review July 29, 2024 23:03
@rata
Copy link
Member

rata commented Jul 30, 2024

false positive warnings for package < 1.33.0

What were the warnings? How do you trigger them?

@austinvazquez
Copy link
Contributor Author

@rata, I see the warning when running govulncheck; however, this is a false positive as runc does not use/vendor the affected packages.

[runc]$ govulncheck -mode=binary runc
=== Symbol Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.27.1
    Fixed in: google.golang.org/protobuf@v1.33.0
    Vulnerable symbols found:
      #1: json.Decoder.Peek
      #2: json.Decoder.Read
      #3: protojson.Unmarshal
      #4: protojson.UnmarshalOptions.Unmarshal

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
[runc]$

rata
rata approved these changes Jul 31, 2024
View reviewed changes
Copy link
Member

@rata rata left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@austinvazquez oh, govulncheck, thanks!

I've verified locally that make vendor passes fine, just in case.

LGTM.

@kolyshkin kolyshkin added this to the 1.1.14 milestone Aug 1, 2024
@kolyshkin kolyshkin merged commit 931f463 into opencontainers:release-1.1 Aug 1, 2024
28 checks passed
@austinvazquez austinvazquez deleted the backport-protobuf-updates-to-1.1 branch August 2, 2024 03:09
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@rata rata rata approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
status/4-merge
Projects
None yet
Milestone
1.1.14
Development

Successfully merging this pull request may close these issues.
4 participants
@austinvazquez @rata @AkihiroSuda @kolyshkin