fix: bump notebooks controller golang/x dependencies #797
Conversation
Signed-off-by: Liav Weiss <[email protected]>
google-oss-prow
bot
added
the
area/controller
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/ok-to-test |
andyatmiami
left a comment
andyatmiami
left a comment
There was a problem hiding this comment.
/lgtm
thanks @liavweiss for this contribution.
i independently confirmed the verification checks performed by the PR author are reproducible and valid.
furthermore, in analyzing the changes introduced across the significant version bumps of upgraded dependencies, I am comfortable with them being safe for our usage.
-
x/crypto: critical functional changes revolve around usage of an SSH server which doesn't apply to our usage.. -
x/net: critical functional changes revolve around usage of html parsing and/orHTTP/2 server which doesn't apply to our usage -
x/sys|x/term|x/text: less controversial changes that reasonably verified by the application continuing to build
ℹ️ similar testing of same versions was also performed on #786
2 participants
Related: #780 (part 1,2,6)
Updated dependencies
golang.org/x/net→ v0.47.0 (addresses CVE-2022-27664/CVE-2025-22870/CVE-2025-22872 and other high/critical CVEs in the Go networking stack)golang.org/x/crypto→ v0.45.0 (keeps crypto primitives up to date with the net bump)golang.org/x/sys→ v0.38.0,golang.org/x/term→ v0.37.0,golang.org/x/text→ v0.31.0 (transitive upgrades brought in by the x/net bump)Validation performed
Trivy checks:
Before change: number of open CVEs - 64
After change: number of open CVEs - 46