Bump some deps #732
Bump some deps #732
Conversation
kolyshkin
force-pushed
the
deps
branch
5 times, most recently
from
707a37c to
1b2280f
Compare
|
OK, non-trivial part of this separated to #733 |
|
LGTM |
| "github.com/opencontainers/runtime-tools/generate" | ||
| "github.com/opencontainers/runtime-tools/specerror" | ||
| "github.com/opencontainers/runtime-tools/validation/util" | ||
| uuid "github.com/satori/go.uuid" |
There was a problem hiding this comment.
The appropriate commit message explains it (alas github downplays individual commits in its UI).
Here's a copy-paste to save you some clicks:
deps: switch to google/uuid
It looks like satori/go.uuid has changed its API in the past (returning
two values rather than one from New), and it is not maintained since
around 2018.Switch to google/uuid which seems to be well maintained.
To reiterate, the New method used to return uuid, and if you try to bump
the module (github.com/satori/go.uuid) you'll see that it now returns uuid and error,
this means we have to add error check to all the callers. Switching to google/uuid
is simpler than making this change, with the added benefit of google one being well
maintained.
I think it was originally suggested by @thaJeztah in some issue or PR.
There was a problem hiding this comment.
Yes, I recall Justin made a round of some PRs to replace some UUID libraries with this one (for another UUID library which had a vulnerability); https://github.com/pulls?q=is%3Apr+author%3Ajustincormack+uuid+is%3Aclosed
And notary switched to the UUID library from distribution/distribution (don't think we want to add that as dependency though); moby/moby#38868
So, given that google/uuid looks to be used in various codebases in the ecosystem, it's probably an OK choice
|
(Explanation sounds good to me, but I'll let @vbatts confirm whether he's satisfied 😄) |
This comment has been minimized.
This comment has been minimized.
There are many .t files in subdirectories. Fix gitignore accordingly. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
It looks like satori/go.uuid has changed its API in the past (returning two values rather than one from New), and it is not maintained since around 2018. Switch to google/uuid which seems to be well maintained. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Also, fix a deprecation warning from NewPid. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
| github.com/urfave/cli v1.19.1 | ||
| github.com/xeipuuv/gojsonschema v1.2.0 | ||
| golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 | ||
| golang.org/x/sys v0.0.0-20191115151921-52ab43148777 |
There was a problem hiding this comment.
Perhaps we should update this one to a current version as well for Go 1.17 compatibility (see docker/cli#3269)
There was a problem hiding this comment.
This was an implicit upgrade (caused by github.com/opencontainers/selinux bump). We can surely do an explicit update, too.
5 participants
validation/.gitignore: fix
There are many .t files in subdirectories. Fix gitignore accordingly.
Closes: Ignore the *.t files because of compiled files. #714
deps: switch to google/uuid
It looks like satori/go.uuid has changed its API in the past (returning
two values rather than one from New), and it is not maintained since
around 2018.
Switch to google/uuid which seems to be well maintained.
deps: bump sirupsen/logrus to v1.8.1
deps bump github.com/mrunalp/fileutils to v0.5.0
deps: bump github.com/opencontainers/selinux to v1.9.1
deps: github.com/hashicorp/go-multierror to v1.1.1
deps: bump github.com/syndtr/gocapability to latest
Also, fix a deprecation warning from NewPid.