Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 #12900

Merged
merged 1 commit into from
Apr 6, 2024
Merged

fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 #12900

merged 1 commit into from
Apr 6, 2024

Conversation

terrytangyuan
Copy link
Member

@terrytangyuan
fix(security): Upgrade crypto to v0.22. Fixes CVE-2023-42818
d35afdf 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan added the prioritized-review For members of the Sustainability Effort label Apr 6, 2024
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies go Pull requests that update Go dependencies labels Apr 6, 2024
agilgur5
agilgur5 reviewed Apr 6, 2024
View reviewed changes
Copy link
Member

@agilgur5 agilgur5 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lint seems to be failing here due to the new deps?

@agilgur5
Copy link
Member

agilgur5 commented Apr 6, 2024

Also we've always used chore(deps) and never fix(security), is there a reason you changed the title?

@agilgur5 agilgur5 changed the title fix(security): Upgrade crypto to v0.22. Fixes CVE-2023-42818 chore(deps): Upgrade crypto to v0.22. Fixes CVE-2023-42818 Apr 6, 2024
@agilgur5 agilgur5 changed the title chore(deps): Upgrade crypto to v0.22. Fixes CVE-2023-42818 chore(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 Apr 6, 2024
@terrytangyuan
Copy link
Member Author

terrytangyuan commented Apr 6, 2024
edited

Also we've always used chore(deps) and never fix(security), is there a reason you changed the title?

I’ve always used fix or fix(security) for security fixes so that we never miss them in patch releases.

@agilgur5
Copy link
Member

agilgur5 commented Apr 6, 2024

Oh looks like we've had both from various contributors. I see fix there, but not fix(security) -- I did double check and searched that and found nothing, so my spidey-sense was on there.

We should've probably used fix(deps) for #12881 then

@agilgur5 agilgur5 changed the title chore(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 Apr 6, 2024
@agilgur5
Copy link
Member

agilgur5 commented Apr 6, 2024

lint seems to be failing here due to the new deps?

I re-ran the lint job as it seemed odd to me and it passed. I haven't seen that flake much, if at all 🤔

LGTM with that passing

@agilgur5 agilgur5 merged commit 3b4551b into argoproj:main Apr 6, 2024
30 checks passed
@terrytangyuan terrytangyuan deleted the fix-CVE-2023-42818 branch April 6, 2024 11:48
@terrytangyuan terrytangyuan mentioned this pull request Apr 6, 2024
Open
agilgur5 added a commit that referenced this pull request Apr 9, 2024
@terrytangyuan @agilgur5
fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 (
c8082b6 
…#12900)

(cherry picked from commit 3b4551b)

Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Co-authored-by: agilgur5 <agilgur5@gmail.com>
@agilgur5
Copy link
Member

agilgur5 commented Apr 9, 2024

Backported to release-3.5 as c8082b6

  • Fixed a merge conflict in the go.sum with transitive dep upgrades (and ran go mod tidy after)

@agilgur5 agilgur5 added this to the v3.5.x patches milestone Apr 9, 2024
isubasinghe pushed a commit to isubasinghe/argo-workflows that referenced this pull request May 6, 2024
@terrytangyuan @isubasinghe
fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 (
a53f894 
…argoproj#12900)

Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
isubasinghe pushed a commit to isubasinghe/argo-workflows that referenced this pull request May 7, 2024
@terrytangyuan @isubasinghe
fix(deps): upgrade crypto from v0.20 to v0.22. Fixes CVE-2023-42818 (
de84094 
…argoproj#12900)

Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agilgur5 agilgur5 agilgur5 approved these changes

Assignees
No one assigned
Labels
go Pull requests that update Go dependencies prioritized-review For members of the Sustainability Effort type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@terrytangyuan @agilgur5