From 4f5312807b90fd7ff044acb7ac0ddbbc91473863 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 17 Aug 2021 08:53:22 -0500 Subject: [PATCH 1/3] Undo dep hacks to work around gRPC example module. This is essentially reverting 87c7e89b139a8024d8b00bfbd18e500cc25937e4. Signed-off-by: Matt Moyer --- go.mod | 4 ---- go.sum | 1 + hack/dependencyhacks/grpcexamples/go.mod | 3 --- hack/module.sh | 2 +- 4 files changed, 2 insertions(+), 8 deletions(-) delete mode 100644 hack/dependencyhacks/grpcexamples/go.mod diff --git a/go.mod b/go.mod index b5f20e9d..3fc7d215 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,3 @@ replace github.com/oleiade/reflections v1.0.0 => github.com/oleiade/reflections // We use the SHA of github.com/form3tech-oss/jwt-go@v3.2.2 to get around "used for two different module paths" // https://golang.org/issues/26904 replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0 - -// Pin a gRPC module that's only used in some tests. -// This is required because sometime after v1.29.1, they moved this package into a separate module. -replace google.golang.org/grpc/examples => ./hack/dependencyhacks/grpcexamples/ diff --git a/go.sum b/go.sum index fe9d15bc..be450e2d 100644 --- a/go.sum +++ b/go.sum @@ -1793,6 +1793,7 @@ google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc/examples v0.0.0-20210304020650-930c79186c99/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/hack/dependencyhacks/grpcexamples/go.mod b/hack/dependencyhacks/grpcexamples/go.mod deleted file mode 100644 index 47491cc5..00000000 --- a/hack/dependencyhacks/grpcexamples/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module google.golang.org/grpc/examples - -go 1.14 diff --git a/hack/module.sh b/hack/module.sh index f7c2d0d2..12f53d6b 100755 --- a/hack/module.sh +++ b/hack/module.sh @@ -46,7 +46,7 @@ function with_modules() { env_vars="KUBE_CACHE_MUTATION_DETECTOR=${kube_cache_mutation_detector} KUBE_PANIC_WATCH_DECODE_ERROR=${kube_panic_watch_decode_error}" pushd "${ROOT}" >/dev/null - for mod_file in $(find . -maxdepth 4 -not -path "./generated/*" -not -path "./hack/*" -name go.mod | sort); do + for mod_file in $(find . -maxdepth 4 -not -path "./generated/*" -name go.mod | sort); do mod_dir="$(dirname "${mod_file}")" ( echo "=> " From f379eee7a3ee67802f5159d49b4e5cfda6684ce3 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 17 Aug 2021 08:57:47 -0500 Subject: [PATCH 2/3] Drop replace directive for oleiade/reflections. This is reverting 8358c261070a2dc9d75053e5db9c4ec666472295. Signed-off-by: Matt Moyer --- go.mod | 5 ----- go.sum | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 3fc7d215..4f34f091 100644 --- a/go.mod +++ b/go.mod @@ -43,11 +43,6 @@ require ( sigs.k8s.io/yaml v1.2.0 ) -// Workaround a broken module version (see https://github.com/oleiade/reflections/issues/14). -// We need this until none of our deps tries to pull in v1.0.0, otherwise some tools like -// Dependabot will fail on our module. -replace github.com/oleiade/reflections v1.0.0 => github.com/oleiade/reflections v1.0.1 - // We were never vulnerable to CVE-2020-26160 but this avoids future issues // This fork is not particularly better though: // https://github.com/form3tech-oss/jwt-go/issues/7 diff --git a/go.sum b/go.sum index be450e2d..caac6eaa 100644 --- a/go.sum +++ b/go.sum @@ -930,6 +930,7 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w= github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM= github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= From 03a8160a9108499c5695f81a80f9e88cb8dbea9a Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 18 Aug 2021 17:03:47 -0500 Subject: [PATCH 3/3] Remove replace directive for dgrijalva/jwt-go. We no longer have a transitive dependency on this older repository, so we don't need the replace directive anymore. There is a new fork of this that we should move to (https://github.com/golang-jwt/jwt), but we can't easily do that until a couple of our direct dependencies upgrade. This is a revert of d162cb9adfa913481a2374145451938122009b8d. Signed-off-by: Matt Moyer --- go.mod | 7 ------- go.sum | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 4f34f091..1c248a77 100644 --- a/go.mod +++ b/go.mod @@ -42,10 +42,3 @@ require ( k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 sigs.k8s.io/yaml v1.2.0 ) - -// We were never vulnerable to CVE-2020-26160 but this avoids future issues -// This fork is not particularly better though: -// https://github.com/form3tech-oss/jwt-go/issues/7 -// We use the SHA of github.com/form3tech-oss/jwt-go@v3.2.2 to get around "used for two different module paths" -// https://golang.org/issues/26904 -replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0 diff --git a/go.sum b/go.sum index caac6eaa..4969d193 100644 --- a/go.sum +++ b/go.sum @@ -182,6 +182,7 @@ github.com/dgraph-io/ristretto v0.0.1/go.mod h1:T40EBc7CJke8TkpiYfGGKAeFjSaxuFXh github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgraph-io/ristretto v0.0.3 h1:jh22xisGBjrEVnRZ1DVTpBVQm0Xndu8sMl0CWDzSIBI= github.com/dgraph-io/ristretto v0.0.3/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= @@ -224,7 +225,6 @@ github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8S github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= -github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=