-
Notifications
You must be signed in to change notification settings - Fork 59
🚨 Update go modules (main) (major) #3133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,7 +35,7 @@ require ( | |
| github.com/yudai/gojsondiff v1.0.0 | ||
| golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f | ||
| golang.org/x/sync v0.21.0 | ||
| gopkg.in/go-jose/go-jose.v2 v2.6.3 | ||
| gopkg.in/go-jose/go-jose.v4 v4.1.4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] incomplete-security-fix The go-jose upgrade from v2 to v4 addresses GHSA-78h2-9frx-2jm8 and GHSA-c6gw-w398-hv78, but acceptance/image/image.go still imports v2. Security fixes in v4 will not apply to code importing the v2 module path. Suggested fix: Update the import in acceptance/image/image.go to the v4 module path, adapt to API changes, and run go mod tidy to remove v2 from the dependency graph. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] incomplete-major-version-bump go-jose v2→v4: The PR replaces gopkg.in/go-jose/go-jose.v2 with .v4 but acceptance/image/image.go:60 still imports gopkg.in/go-jose/go-jose.v2/json. The old v2 is removed as a direct dependency — if not available transitively, the build will fail. go-jose v4 also removed the json sub-package entirely. Suggested fix: Update acceptance/image/image.go to use 'encoding/json' instead of 'gopkg.in/go-jose/go-jose.v2/json', then remove v2 from the dependency tree. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] known-vulnerable-dependency go-jose v2 has known CVEs (CVE-2023-50658, CVE-2024-28180) but remains in the compiled binary because the source code still imports it. The go.mod change does not remediate these vulnerabilities — the vulnerable module stays in the dependency graph. Suggested fix: Migrate source code away from go-jose v2 imports to actually remove the vulnerable dependency from the module graph. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] correctness go-jose v2→v4 in acceptance module: the require directive replaces gopkg.in/go-jose/go-jose.v2 with .v4, but acceptance/image/image.go still imports gopkg.in/go-jose/go-jose.v2/json. Unlike the root module changes, the old v2 is not preserved as a fallback dependency. The acceptance/go.sum is also not updated with v4 checksums. This may cause build failures. Suggested fix: Update the import in acceptance/image/image.go from gopkg.in/go-jose/go-jose.v2/json to the v4 equivalent, update acceptance/go.sum with v4 checksums, verify API compatibility, and run go mod tidy in the acceptance module. |
||
| k8s.io/api v0.36.0 | ||
| k8s.io/apimachinery v0.36.0 | ||
| k8s.io/client-go v0.36.0 | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ go 1.26.3 | |
| require ( | ||
| cuelang.org/go v0.16.0 | ||
| github.com/CycloneDX/cyclonedx-go v0.10.0 | ||
| github.com/MakeNowJust/heredoc v1.0.0 | ||
| github.com/MakeNowJust/heredoc/v2 v2.0.1 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error github.com/MakeNowJust/heredoc/v2 v2.0.1 is added as a direct dependency but no source file imports the v2 path. All 19 files import v1. The v2 dependency is unused. Suggested fix: Either update all 19 source files to import heredoc/v2 or remove the v2 entry from go.mod. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] correctness heredoc v1→v2 major version bump: go.mod adds heredoc/v2 as a direct dependency but all 19 source files still import the v1 path (github.com/MakeNowJust/heredoc). The v2 module is completely unused and would be removed by go mod tidy. Import paths in all consuming .go files must be updated to github.com/MakeNowJust/heredoc/v2. Suggested fix: Update all 19 import statements from github.com/MakeNowJust/heredoc to github.com/MakeNowJust/heredoc/v2, verify the v2 whitespace handling change is acceptable, remove the v1 require entry, and run go mod tidy. |
||
| github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a | ||
| github.com/conforma/crds/api v0.1.7 | ||
| github.com/conforma/go-gather v1.2.0 | ||
|
|
@@ -29,7 +29,7 @@ require ( | |
| github.com/open-policy-agent/opa v1.15.2 | ||
| github.com/package-url/packageurl-go v0.1.3 | ||
| github.com/qri-io/jsonpointer v0.1.1 | ||
| github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 | ||
| github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is added as a direct dependency but no source file imports v6. All 3 files import v5. The v6 dependency is unused. Suggested fix: Either update the 3 source files to import jsonschema/v6 and adapt to the new API, or remove the v6 entry from go.mod. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] correctness jsonschema v5→v6 major version bump: go.mod adds jsonschema/v6 as a direct dependency but all 3 source files (pkg/schema/schema.go, internal/policy/policy.go, internal/evaluation_target/application_snapshot_image/application_snapshot_image.go) still import jsonschema/v5. The v6 module is unused. Additionally, jsonschema v6 has breaking API changes to NewCompiler(), CompileString(), AddResource(), and ValidationError that must be addressed during migration. Suggested fix: Update import paths from jsonschema/v5 to jsonschema/v6, follow the v5→v6 migration guide at santhosh-tekuri/jsonschema#172, update API call sites, remove the v5 require entry, and run go mod tidy. |
||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 | ||
| github.com/sigstore/cosign/v3 v3.0.4 | ||
| github.com/sigstore/rekor v1.5.3 | ||
|
|
@@ -63,9 +63,11 @@ require ( | |
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.21.8-0.20260626175242-ae5f0ae7a0b0 | ||
|
|
||
| require ( | ||
| github.com/MakeNowJust/heredoc v1.0.0 | ||
| github.com/go-openapi/runtime v0.32.4 | ||
| github.com/google/uuid v1.6.0 | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 | ||
| github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 | ||
| golang.org/x/text v0.38.0 | ||
| gopkg.in/yaml.v3 v3.0.1 | ||
| k8s.io/api v0.36.0 | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[critical] api-contract
The PR replaces gopkg.in/go-jose/go-jose.v2 with v4 in acceptance/go.mod, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. The acceptance module will not compile.
Suggested fix: Update the import in acceptance/image/image.go to the v4 equivalent (github.com/go-jose/go-jose/v4), or keep v2 alongside v4.