Skip to content

sec-vuln: upgrade dependencies#9227

Merged
himadrisingh merged 2 commits intomainfrom
sec-vuln
Apr 14, 2026
Merged

sec-vuln: upgrade dependencies#9227
himadrisingh merged 2 commits intomainfrom
sec-vuln

Conversation

@himadrisingh
Copy link
Copy Markdown
Contributor

@himadrisingh himadrisingh commented Apr 13, 2026
edited
Loading

Fixes

Checklist:

  • Covered by tests
  • Ran it and it works as intended
  • Reviewed the diff before requesting a review
  • Checked for unhandled edge cases
  • Linked the issues it closes
  • Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
  • Intend to cherry-pick into the release branch
  • I'm proud of this work!

@himadrisingh himadrisingh self-assigned this Apr 13, 2026
begelundmuller
begelundmuller approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@begelundmuller begelundmuller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@himadrisingh
Update resolvers_test.go
cc51826 
  Root cause: upgrading docker/compose/v5 to v5.1.2 pulled in gotest.tools/v3@v3.5.2 as a new transitive dependency. That library's init() registers flag.Bool("update", ...). Since dependency init() functions run before the importing package's
  variable initializers, gotest.tools registers the flag first, and resolvers_test.go:58's var update = flag.Bool("update", ...) then panics with "flag redefined".

  Fix (runtime/resolvers/resolvers_test.go):
  - Replaced the package-level var update = flag.Bool(...) with an init() that only registers the flag if flag.Lookup("update") == nil (same pattern gotest.tools itself uses)
  - Changed the usage in TestResolvers to look up the flag value via flag.Lookup("update") after flag.Parse() instead of dereferencing a package-level pointer
@himadrisingh
Copy link
Copy Markdown
Contributor Author

himadrisingh commented Apr 13, 2026

Root cause: upgrading docker/compose/v5 to v5.1.2 pulled in gotest.tools/v3@v3.5.2 as a new transitive dependency. That library's init() registers flag.Bool("update", ...). Since dependency init() functions run before the importing package's
variable initializers, gotest.tools registers the flag first, and resolvers_test.go:58's var update = flag.Bool("update", ...) then panics with "flag redefined".

Fix (runtime/resolvers/resolvers_test.go):

  • Replaced the package-level var update = flag.Bool(...) with an init() that only registers the flag if flag.Lookup("update") == nil (same pattern gotest.tools itself uses)
  • Changed the usage in TestResolvers to look up the flag value via flag.Lookup("update") after flag.Parse() instead of dereferencing a package-level pointer

@himadrisingh himadrisingh merged commit fddb1a6 into main Apr 14, 2026
13 of 15 checks passed
@himadrisingh himadrisingh deleted the sec-vuln branch April 14, 2026 03:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@begelundmuller begelundmuller begelundmuller approved these changes

Assignees

@himadrisingh himadrisingh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@himadrisingh @begelundmuller