heketi that is dependency for glusterfs was updated to import a fork of jwt-go that fixes
a high severity CVE-2020-26160 by importing a forked repo (form3tech-oss/jwt-go) that fixes
the CVE as the original repo (dgrijalva/jwt-go) has a fix with breaking changes and
the repo is generally loosely maintained.
This fork is already being used in other places in kubernetes. Heketi 10.3.0 includes this fix.
NOTE: The vulnerable function is not used by heketi or kubernetes. So the vulnerable package is a
transitive dependency and this fix will reduce false postive CVE alerts on kubernetes
Bumped github.com/auth0/go-jwt-middleware to v1.0.0 which removes dgrijalva/jwt-go cleanly
Fixing test failures: pull-kubernetes-dependencies
Removing unused dependencies in replace block to fix test failures: pull-kubernetes-dependencies
Bump go-jwt-middleware to v1.0.1 to *not* pull in examples only deps
This commit is for all the vendor specific code changes introduced
by pinning the dependency at 1.38.49 and running update-vendor.sh
lint-dependencies.sh shows no issues
The coredns/corefile-migration project switched to a fork of
coredns/caddy to remove dependencies it doesn't actually need. Picking
up this update here in k/k results in a significantly smaller go.mod.
Signed-off-by: Dan Lorenc <dlorenc@google.com>
runc rc95 contains a fix for CVE-2021-30465.
runc rc94 provides fixes and improvements.
One notable change is cgroup manager's Set now accept Resources rather
than Cgroup (see https://github.com/opencontainers/runc/pull/2906).
Modify the code accordingly.
Also update runc dependencies (as hinted by hack/lint-depdendencies.sh):
github.com/cilium/ebpf v0.5.0
github.com/containerd/console v1.0.2
github.com/coreos/go-systemd/v22 v22.3.1
github.com/godbus/dbus/v5 v5.0.4
github.com/moby/sys/mountinfo v0.4.1
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
github.com/google/go-cmp v0.5.4
github.com/kr/pretty v0.2.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
One notable change is cgroup manager's Set now accept Resources rather
than Cgroup (see https://github.com/opencontainers/runc/pull/2906).
Modify the code accordingly.
Also update runc dependencies (as hinted by hack/lint-depdendencies.sh):
github.com/cilium/ebpf v0.5.0
github.com/containerd/console v1.0.2
github.com/coreos/go-systemd/v22 v22.3.1
github.com/godbus/dbus/v5 v5.0.4
github.com/moby/sys/mountinfo v0.4.1
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
github.com/google/go-cmp v0.5.4
github.com/kr/pretty v0.2.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The new releases of klog (via klogr) and logr expose support for call
traces via a new WithCallDepth API in logr.
The new klogr can be configured to pass structured log entries into
klog instead of turning them into a single text message.
The newer spec will be needed for some test code that uses the new
GetVolume API.
The commit was produced with:
hack/pin-dependency.sh github.com/container-storage-interface/spec v1.3.0
hack/update-vendor.sh
