[jira] [Commented] (YUNIKORN-2389) Update golang dependencies

[Chia-Ping Tsai (Jira)]

    [ 
https://issues.apache.org/jira/browse/YUNIKORN-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814916#comment-17814916
 ] 

Chia-Ping Tsai commented on YUNIKORN-2389:
------------------------------------------

{quote}
I've checked for CVE in web/release repo using govulncheck and there is no CVE 
warning occurred.
{quote}

Could you please take a look at following dependencies tree?

github.com/apache/yunikorn-web (go1.21)
 ├── github.com/google/go-cmp@v0.5.5 (go1.8) => [v0.6.0]
 │    └── golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543 => 
[v0.0.0-20231012003039-104605ab7028]
 └── gotest.tools/v3@v3.4.0 (go1.13) => [v3.5.1]
      ├── github.com/google/go-cmp@v0.5.5 (go1.8) => [v0.6.0]
      └── golang.org/x/tools@v0.1.0 (go1.12) => [v0.17.0]
           ├── github.com/yuin/goldmark@v1.2.1 (go1.13) => [v1.7.0]
           ├── golang.org/x/mod@v0.3.0 (go1.12) => [v0.14.0]
           ├── golang.org/x/net@v0.0.0-20201021035429-f5854403a974 (go1.11) => 
[v0.20.0]
           ├── golang.org/x/sync@v0.0.0-20201020160332-67f06af15bc9 => [v0.6.0]
           ├── golang.org/x/sys@v0.0.0-20210119212857-b64e53b001e4 (go1.12) => 
[v0.16.0]
           └── golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1 (go1.11) 
=> [v0.0.0-20231012003039-104605ab7028]


> Update golang dependencies
> --------------------------
>
>                 Key: YUNIKORN-2389
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-2389
>             Project: Apache YuniKorn
>          Issue Type: Improvement
>          Components: release
>            Reporter: Wilfred Spiegelenburg
>            Assignee: Yu-Lin Chen
>            Priority: Critical
>              Labels: pull-request-available
>
> golang.org/x/crypto v0.16.0 is used but it has 
> [CVE-2023-48795|https://www.cve.org/CVERecord?id=CVE-2023-48795] (or 
> GO-2023-2402) and we should upgrade to the latest before the release.
> While we are upgrading that one we should also update the others:
>  * golang.org/x/net v0.20.0
>  * golang.org/x/sys v0.16.0
>  * golang.org/x/text v0.14.0
>  * golang.org/x/tools v0.17.0



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org