Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.1 backport] vendor: google.golang.org/protobuf 1.33.0 #4361

Merged
merged 8 commits into from
Aug 1, 2024
Merged

[1.1 backport] vendor: google.golang.org/protobuf 1.33.0 #4361

merged 8 commits into from
Aug 1, 2024

Conversation

austinvazquez
Copy link
Contributor

@austinvazquez austinvazquez commented Jul 29, 2024
edited
Loading

dependabot bot added 8 commits July 29, 2024 22:34
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
88f54b2 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 82bc042)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
19c47f6 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 450dd3e)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2a9acb9 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 6b41f8e)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
81461ed 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit a7046b8)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
3b5bf8f 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](protocolbuffers/protobuf-go@v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 8f0d0c4)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
ac5fc48 
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit a57d94d)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
31f2944 
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 43306be)
Signed-off-by: Austin Vazquez <[email protected]>
@dependabot @austinvazquez
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
1f58704 
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 7ab66b1)
Signed-off-by: Austin Vazquez <[email protected]>
@austinvazquez austinvazquez marked this pull request as ready for review July 29, 2024 23:03
@rata
Copy link
Member

rata commented Jul 30, 2024

false positive warnings for package < 1.33.0

What were the warnings? How do you trigger them?

@austinvazquez
Copy link
Contributor Author

@rata, I see the warning when running govulncheck; however, this is a false positive as runc does not use/vendor the affected packages.

[runc]$ govulncheck -mode=binary runc
=== Symbol Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]
    Vulnerable symbols found:
      #1: json.Decoder.Peek
      #2: json.Decoder.Read
      #3: protojson.Unmarshal
      #4: protojson.UnmarshalOptions.Unmarshal

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
[runc]$

rata
rata approved these changes Jul 31, 2024
View reviewed changes
Copy link
Member

@rata rata left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@austinvazquez oh, govulncheck, thanks!

I've verified locally that make vendor passes fine, just in case.

LGTM.

@kolyshkin kolyshkin added this to the 1.1.14 milestone Aug 1, 2024
@kolyshkin kolyshkin merged commit 931f463 into opencontainers:release-1.1 Aug 1, 2024
28 checks passed
@austinvazquez austinvazquez deleted the backport-protobuf-updates-to-1.1 branch August 2, 2024 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rata rata rata approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
status/4-merge
Projects
None yet
Milestone
1.1.14
Development

Successfully merging this pull request may close these issues.
4 participants
@austinvazquez @rata @AkihiroSuda @kolyshkin