Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump the dependencies group with 14 updates #1095

Merged
merged 1 commit into from
Feb 1, 2025
Merged

chore(deps): bump the dependencies group with 14 updates #1095

merged 1 commit into from
Feb 1, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 1, 2025

Bumps the dependencies group with 14 updates:

Package From To
github.com/Scalingo/go-utils/logger 1.3.1 1.4.0
github.com/briandowns/spinner 1.23.1 1.23.2
github.com/cheggaaa/pb/v3 3.1.5 3.1.6
github.com/go-git/go-git/v5 5.13.0 5.13.2
golang.org/x/crypto 0.31.0 0.32.0
golang.org/x/term 0.27.0 0.28.0
github.com/ProtonMail/go-crypto 1.1.3 1.1.5
github.com/cyphar/filepath-securejoin 0.3.6 0.4.1
github.com/go-git/go-billy/v5 5.6.1 5.6.2
github.com/mattn/go-colorable 0.1.13 0.1.14
github.com/pjbgf/sha1cd 0.3.1 0.3.2
github.com/skeema/knownhosts 1.3.0 1.3.1
golang.org/x/net 0.33.0 0.34.0
golang.org/x/sys 0.28.0 0.29.0

Updates github.com/Scalingo/go-utils/logger from 1.3.1 to 1.4.0

Commits
  • 07ed960 Merge pull request #1000 from Scalingo/release/mongo/1.4.0
  • 2db025c [mongo] Bump v1.4.0
  • 2dad0ed Merge pull request #999 from Scalingo/fix/998/validation-internal-errors
  • ae3124d Lint
  • 6da687f Review: refacto and error message improvement
  • e800254 package(mongo) Do not break API to handle validation errors with internal errors
  • d750436 Merge pull request #997 from Scalingo/fix/1030/mongo-pagination-custom-query
  • 1c9f6dc Update mongo/pagination/pagination.go: typo
  • c764b19 Review: doc and additional test
  • cd20c6a Update changelog
  • Additional commits viewable in compare view

Updates github.com/briandowns/spinner from 1.23.1 to 1.23.2

Commits

Updates github.com/cheggaaa/pb/v3 from 3.1.5 to 3.1.6

Commits
  • 634b527 Merge pull request #226 from cheggaaa/dependabot/go_modules/v3/github.com/mat...
  • 72db192 Merge pull request #225 from secDre4mer/master
  • 1897845 Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 in /v3
  • 4d7e5a0 feat: AIX support
  • d0803d4 Merge pull request #224 from cheggaaa/dependabot/go_modules/v3/github.com/fat...
  • bce8d1a Bump github.com/fatih/color from 1.17.0 to 1.18.0 in /v3
  • 4ca3463 Merge pull request #221 from cheggaaa/dependabot/go_modules/v3/github.com/fat...
  • ced2481 Merge pull request #222 from cheggaaa/dependabot/go_modules/v3/github.com/mat...
  • e774f99 Bump github.com/mattn/go-runewidth from 0.0.15 to 0.0.16 in /v3
  • 809a0b4 Bump github.com/fatih/color from 1.16.0 to 1.17.0 in /v3
  • Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.13.0 to 5.13.2

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.13.2

What's Changed

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

v5.13.1

What's Changed

Full Changelog: go-git/go-git@v5.13.0...v5.13.1

Commits
  • 2c68247 Merge pull request #1383 from go-git/dependabot/go_modules/github.com/ProtonM...
  • d462c2e Merge pull request #1359 from BeChris/issue1150-v5
  • 32ac23a Merge pull request #1392 from go-git/dependabot/go_modules/github.com/pjbgf/s...
  • 93e635a build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2
  • b2bb975 git: worktree_status, took into account code review remarks
  • 518ac88 git: worktree_status, fix adding dot slash files to working tree (backported ...
  • 21b3150 build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5
  • 189e7e4 Merge pull request #1361 from BeChris/issue1176-v5
  • 654815a Merge pull request #1377 from go-git/dependabot/go_modules/github.com/elazarl...
  • 91dbdb9 Merge pull request #1376 from go-git/dependabot/github_actions/github/codeql-...
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.31.0 to 0.32.0

Commits
  • 8929309 go.mod: update golang.org/x dependencies
  • 4a75ba5 all: make function and struct comments match the names
  • See full diff in compare view

Updates golang.org/x/term from 0.27.0 to 0.28.0

Commits

Updates github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.5

Release notes

Sourced from github.com/ProtonMail/go-crypto's releases.

Release v1.1.5

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.4...v1.1.5

Release v1.1.5-proton

What's Changed

This release is v1.1.5 with support for the following non-standardized features:

Release v1.1.4

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.3...v1.1.4

Release v1.1.4-proton

What's Changed

This release is v1.1.4 with support for the following non-standardized features:

Commits
  • d703f49 Check binding signature details against primary key (#264)
  • 72cacd5 ci: Update openpgp-interop-test-analyzer to v2.1.0 (#243)
  • 3de0301 Update artifact actions to v4 (#260)
  • be3aef0 Merge pull request #259 from ProtonMail/less-memory-large-msgs
  • 1fd5ec8 Add tests for reusing buffer in OCB en/decryption
  • df3ee02 Buffer decrypted bytes more efficiently
  • 04cfaf2 Reuse plaintext slice for ciphertext when encrypting
  • fee7824 Reuse ciphertext slice for plaintext when decrypting
  • 6fa7f91 Preallocate the chunk size rather than buffering
  • add07bd Don't allocate the nonce for each chunk
  • Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.4.1

This release fixes a regression introduced in one of the hardening features added to filepath-securejoin 0.4.0.

  • The restrictions added for root paths passed to SecureJoin in 0.4.0 was found to be too strict and caused some regressions when folks tried to update, so this restriction has been relaxed to only return an error if the path contains a .. component. We still recommend users use filepath.Clean (and even filepath.EvalSymlinks) on the root path they are using, but at least you will no longer be punished for "trivial" unclean paths. (#46)

Signed-off-by: Aleksa Sarai [email protected]

v0.4.0

This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse.

  • SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

    While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

    All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

    Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

  • MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

    However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.4.1] - 2025-01-28

Fixed

  • The restrictions added for root paths passed to SecureJoin in 0.4.0 was found to be too strict and caused some regressions when folks tried to update, so this restriction has been relaxed to only return an error if the path contains a .. component. We still recommend users use filepath.Clean (and even filepath.EvalSymlinks) on the root path they are using, but at least you will no longer be punished for "trivial" unclean paths.

[0.4.0] - 2025-01-13

Breaking

  • SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

    While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

    All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

    Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

  • MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

    However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

Commits
  • 7abd870 VERSION: release v0.4.1
  • 509a359 merge #47 into cyphar/filepath-securejoin:main
  • fbaef26 join: loosen cleanliness requirements for SecureJoin root
  • 54460df merge #45 into cyphar/filepath-securejoin:main
  • 14e6cfe VERSION: back to development
  • 9a17e6b VERSION: release v0.4.0
  • e410d4a merge #44 into cyphar/filepath-securejoin:main
  • ea4e5b6 gha: add GOARCH=386 build check
  • 0c2fbe6 mkdirall: switch to os.FileMode argument
  • f3a512c merge #43 into cyphar/filepath-securejoin:main
  • Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.6.2

What's Changed

New Contributors

Full Changelog: go-git/go-billy@v5.6.1...v5.6.2

Commits
  • 9f8b16d Merge pull request #103 from pjbgf/bump-deps
  • 783f58c build: Bump dependencies
  • 0009381 Merge pull request #102 from JAORMX/iofs-extra-interfaces-v5
  • 21beb15 Enable the iofs adapter to also return other interfaces from io/fs
  • See full diff in compare view

Updates github.com/mattn/go-colorable from 0.1.13 to 0.1.14

Commits
  • 1f71342 update deps
  • 4503567 Merge pull request #73 from whereswaldon/patch-1
  • 40e70a5 [Windows] harden system DLL loading
  • 603fb50 Merge pull request #71 from hymkor/fork-20241118
  • 664d917 Fix: ESC[E and ESC[F with no arguments did not move the cursor on the legacy ...
  • 2b733b5 Merge pull request #69 from dolmen-go/merge-appengine-into-others
  • 9473000 Merge pull request #68 from dolmen-go/do-not-expose-Windows-Writer
  • 3cc8472 Merge pull request #67 from dolmen-go/ci-go1.20
  • d9a68d5 Merge colorable_appengine.go into colorable_others.go
  • 8e4a944 Windows: do not export Writer
  • Additional commits viewable in compare view

Updates github.com/pjbgf/sha1cd from 0.3.1 to 0.3.2

Release notes

Sourced from github.com/pjbgf/sha1cd's releases.

v0.3.2

What's Changed

New Contributors

Full Changelog: pjbgf/sha1cd@v0.3.1...v0.3.2

Commits
  • 6b2e36b Merge pull request #150 from pjbgf/dependabot/docker/golang-51a6466
  • 05a0266 Merge pull request #149 from mmcloughlin/asm-module
  • 5bf06ea build(deps): Bump golang from 7ea4c9d to 51a6466
  • 2a026ef update make generate
  • 6bf841e update sha1cd generate line
  • ff2b6bb move ubc generator to sub-module
  • 2dc0fd6 reduce go version in asm go.mod
  • 0f1180f migrate avo to asm module
  • 6f02425 Merge pull request #147 from pjbgf/dependabot/github_actions/github/codeql-ac...
  • b9d5e06 build(deps): Bump github/codeql-action from 3.28.0 to 3.28.1
  • Additional commits viewable in compare view

Updates github.com/skeema/knownhosts from 1.3.0 to 1.3.1

Commits
  • 93146c8 update dependency golang.org/x/crypto to v0.25.0
  • 0f2fe42 go.mod: update golang.org/x dependencies
  • See full diff in compare view

Updates golang.org/x/net from 0.33.0 to 0.34.0

Commits
  • 8da7ed1 go.mod: update golang.org/x dependencies
  • 2124140 all: make function and struct comments match the names
  • e9d95ba http2: do not surface errors from a conn's idle timer expiring
  • c2be992 quic: remember which remote connection IDs have been retired
  • See full diff in compare view

Updates golang.org/x/sys from 0.28.0 to 0.29.0

Commits
  • d4ac05d windows: update NewLazyDLL, LoadDLL docs to point to NewLazySystemDLL
  • 680bd24 windows: remove unused errString type
  • a7f19e9 unix: add Dup3 on dragonfly
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the dependencies group with 14 updates
85332c7 
Bumps the dependencies group with 14 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/Scalingo/go-utils/logger](https://github.com/Scalingo/go-utils) | `1.3.1` | `1.4.0` |
| [github.com/briandowns/spinner](https://github.com/briandowns/spinner) | `1.23.1` | `1.23.2` |
| [github.com/cheggaaa/pb/v3](https://github.com/cheggaaa/pb) | `3.1.5` | `3.1.6` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.13.0` | `5.13.2` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.31.0` | `0.32.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.27.0` | `0.28.0` |
| [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) | `1.1.3` | `1.1.5` |
| [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) | `0.3.6` | `0.4.1` |
| [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) | `5.6.1` | `5.6.2` |
| [github.com/mattn/go-colorable](https://github.com/mattn/go-colorable) | `0.1.13` | `0.1.14` |
| [github.com/pjbgf/sha1cd](https://github.com/pjbgf/sha1cd) | `0.3.1` | `0.3.2` |
| [github.com/skeema/knownhosts](https://github.com/skeema/knownhosts) | `1.3.0` | `1.3.1` |
| [golang.org/x/net](https://github.com/golang/net) | `0.33.0` | `0.34.0` |
| [golang.org/x/sys](https://github.com/golang/sys) | `0.28.0` | `0.29.0` |


Updates `github.com/Scalingo/go-utils/logger` from 1.3.1 to 1.4.0
- [Release notes](https://github.com/Scalingo/go-utils/releases)
- [Changelog](https://github.com/Scalingo/go-utils/blob/master/CHANGELOG_LEGACY.md)
- [Commits](Scalingo/go-utils@mongo/v1.3.1...mongo/v1.4.0)

Updates `github.com/briandowns/spinner` from 1.23.1 to 1.23.2
- [Release notes](https://github.com/briandowns/spinner/releases)
- [Commits](briandowns/spinner@v1.23.1...v1.23.2)

Updates `github.com/cheggaaa/pb/v3` from 3.1.5 to 3.1.6
- [Commits](cheggaaa/pb@v3.1.5...v3.1.6)

Updates `github.com/go-git/go-git/v5` from 5.13.0 to 5.13.2
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.13.0...v5.13.2)

Updates `golang.org/x/crypto` from 0.31.0 to 0.32.0
- [Commits](golang/crypto@v0.31.0...v0.32.0)

Updates `golang.org/x/term` from 0.27.0 to 0.28.0
- [Commits](golang/term@v0.27.0...v0.28.0)

Updates `github.com/ProtonMail/go-crypto` from 1.1.3 to 1.1.5
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](ProtonMail/go-crypto@v1.1.3...v1.1.5)

Updates `github.com/cyphar/filepath-securejoin` from 0.3.6 to 0.4.1
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](cyphar/filepath-securejoin@v0.3.6...v0.4.1)

Updates `github.com/go-git/go-billy/v5` from 5.6.1 to 5.6.2
- [Release notes](https://github.com/go-git/go-billy/releases)
- [Commits](go-git/go-billy@v5.6.1...v5.6.2)

Updates `github.com/mattn/go-colorable` from 0.1.13 to 0.1.14
- [Commits](mattn/go-colorable@v0.1.13...v0.1.14)

Updates `github.com/pjbgf/sha1cd` from 0.3.1 to 0.3.2
- [Release notes](https://github.com/pjbgf/sha1cd/releases)
- [Commits](pjbgf/sha1cd@v0.3.1...v0.3.2)

Updates `github.com/skeema/knownhosts` from 1.3.0 to 1.3.1
- [Commits](skeema/knownhosts@v1.3.0...v1.3.1)

Updates `golang.org/x/net` from 0.33.0 to 0.34.0
- [Commits](golang/net@v0.33.0...v0.34.0)

Updates `golang.org/x/sys` from 0.28.0 to 0.29.0
- [Commits](golang/sys@v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: github.com/Scalingo/go-utils/logger
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/briandowns/spinner
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/cheggaaa/pb/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/go-git/go-billy/v5
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/mattn/go-colorable
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/pjbgf/sha1cd
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/skeema/knownhosts
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: golang.org/x/net
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Feb 1, 2025
@dependabot dependabot bot requested a review from EtienneM February 1, 2025 00:56
@github-actions github-actions bot enabled auto-merge February 1, 2025 00:56
@github-actions github-actions bot merged commit 208fae6 into master Feb 1, 2025
6 checks passed
@github-actions github-actions bot deleted the dependabot/go_modules/dependencies-5b4f924813 branch February 1, 2025 00:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@EtienneM EtienneM Awaiting requested review from EtienneM

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants