Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump the dependencies group with 10 updates #1073

Merged
merged 1 commit into from
Aug 1, 2024
Merged

chore(deps): bump the dependencies group with 10 updates #1073

merged 1 commit into from
Aug 1, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 1, 2024

Bumps the dependencies group with 10 updates:

Package From To
github.com/urfave/cli/v2 2.27.2 2.27.3
golang.org/x/crypto 0.24.0 0.25.0
golang.org/x/term 0.21.0 0.22.0
github.com/ProtonMail/go-crypto 1.1.0-alpha.3-proton 1.1.0-alpha.5-proton
github.com/cyphar/filepath-securejoin 0.2.5 0.3.1
github.com/mattn/go-runewidth 0.0.15 0.0.16
github.com/skeema/knownhosts 1.2.2 1.3.0
github.com/xrash/smetrics 0.0.0-20240312152122-5f08fbb34913 0.0.0-20240521201337-686a1a2994c1
golang.org/x/net 0.26.0 0.27.0
golang.org/x/sys 0.21.0 0.22.0

Updates github.com/urfave/cli/v2 from 2.27.2 to 2.27.3

Release notes

Sourced from github.com/urfave/cli/v2's releases.

v2.27.3

What's Changed

New Contributors

Full Changelog: urfave/cli@v2.27.2...v2.27.3

Commits
  • a4832fd Merge pull request #1947 from caeret/v2-maint
  • 2400a85 Run make generate
  • a5546ad Fix improper whitespace formatting in usageTemplate, AppHelpTemplate and Subc...
  • 84c536d Merge pull request #1938 from suzuki-shunsuke/v2-fix-shell-completion-with-do...
  • f72fa77 fix: disable bash completion if double dash is included in arguments
  • 8e2384c Merge pull request #1911 from elezar/bump-github.com/xrash/smetrics
  • e6c679a Bump github.com/xrash/smetrics dependency
  • da85d0c Merge pull request #1910 from sj14/sj/default-arg-value
  • 1ba9751 Docs: Mention value from env as default value
  • See full diff in compare view

Updates golang.org/x/crypto from 0.24.0 to 0.25.0

Commits
  • 9fadb0b go.mod: update golang.org/x dependencies
  • a6a393f all: bump go.mod version and drop compatibility shims
  • 1c74500 ssh/test: make struct comment match struct name
  • d4e7c9c ssh: fail client auth immediately on receiving disconnect message
  • See full diff in compare view

Updates golang.org/x/term from 0.21.0 to 0.22.0

Commits

Updates github.com/ProtonMail/go-crypto from 1.1.0-alpha.3-proton to 1.1.0-alpha.5-proton

Release notes

Sourced from github.com/ProtonMail/go-crypto's releases.

v1.1.0-alpha.5-proton

This pre-release is v1.1.0-alpha.5 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.4-proton

This pre-release is v1.1.0-alpha.4 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Commits
  • 5cc763e Fix HMAC generation (#204)
  • 5c6f2b4 Replace ioutil.ReadAll with io.ReadAll
  • 08bd3f7 fix(v2): Adapt NewForwardingEntity to refactored NewEntity
  • 635733f fix(v2): Do not allow encrpytion with a forwarding key
  • 6c1edd7 feat: Add symmetric keys to v2
  • 736343d fix: Address warnings
  • 0c84782 feat: Add forwarding to v2 api
  • aaf4fba fix: Address rebase on version 2 issues
  • 7c4521c Use fingerprints instead of KeyIDs
  • c38aca0 Create a copy of the encrypted key when forwarding
  • Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.2.5 to 0.3.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.1

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai [email protected]

v0.3.0

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer to use for most usecases. These are adapted from [libpathrs][1] and are the bare minimum to be able to operate more safely on an untrusted rootfs where an attacker has write access (something that SecureJoin cannot protect against). The new APIs are:

  • OpenInRoot, which resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the file handle returned by OpenInRoot is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- see open(2) for more details).

  • Reopen, which takes an O_PATH file handle and safely re-opens it to "upgrade" it to a regular handle.

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.1] - 2024-07-23

Changed

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

Fixed

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

[0.3.0] - 2024-07-11

Added

  • A new set of *os.File-based APIs have been added. These are adapted from [libpathrs][] and we strongly suggest using them if possible (as they provide far more protection against attacks than SecureJoin):

    • Open(at)InRoot resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the handle returned is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- [see open(2) for more details][open.2])

    • Reopen takes an O_PATH file handle and safely re-opens it to upgrade it to a regular handle. This can also be used with non-O_PATH handles, but O_PATH is the most obvious application.

    • MkdirAll is an implementation of os.MkdirAll that is safe to use to

... (truncated)

Commits
  • ce7b28a VERSION: release v0.3.1
  • a2c14f8 CHANGELOG: add readlinkat(fd, "") shout-out
  • 4ea279f merge #22 into cyphar/filepath-securejoin:main
  • 16e1bec CHANGELOG: add initial changelog with current history
  • 2404ffb merge #21 into cyphar/filepath-securejoin:main
  • f29b7a4 lookup: handle // and trailing slash components correctly
  • ecd61ca merge #19 into cyphar/filepath-securejoin:main
  • 38b1220 procfs: refactor statx mnt_id logic
  • 45c4415 procfs: use readlink(fd, "") for magic-links
  • edab538 merge #17 into cyphar/filepath-securejoin:main
  • Additional commits viewable in compare view

Updates github.com/mattn/go-runewidth from 0.0.15 to 0.0.16

Commits

Updates github.com/skeema/knownhosts from 1.2.2 to 1.3.0

Commits
  • 9485bde docs: add PR template and CONTRIBUTING.md guide; minor README tweaks
  • 8b8ca37 host matching: handle wildcards with non-standard port (#10)
  • 7c797a4 Merge pull request #9 from skeema/certs-backwards-compat
  • 53a26cc Minor adjustments based on initial PR feedback
  • 69b4a62 certs: reimplement previous commit to maintain backwards compat
  • d314bf3 Support cert authorities
  • 5832aa8 ci: send coverage to Coveralls; upgrade action versions
  • 7acc57b go.mod: update golang.org/x dependencies
  • See full diff in compare view

Updates github.com/xrash/smetrics from 0.0.0-20240312152122-5f08fbb34913 to 0.0.0-20240521201337-686a1a2994c1

Commits

Updates golang.org/x/net from 0.26.0 to 0.27.0

Commits
  • e2310ae go.mod: update golang.org/x dependencies
  • 77708f7 quic: skip tests which depend on unimplemented UDP functions on Plan 9
  • 9617c63 http2: avoid Transport hang with Connection: close and AllowHTTP
  • See full diff in compare view

Updates golang.org/x/sys from 0.21.0 to 0.22.0

Commits
  • faed7ec unix: add PthreadChdir and PthreadFchdir on darwin
  • c892bb7 unix: fix MmapPtr test failing on OpenBSD
  • a0ef40a unix: fix MremapPtr test failing on NetBSD
  • daa2394 unix: add unsafe mmap, munmap, mremap
  • 7670087 windows: add GetAce Windows API
  • 348425a windows/svc: do not pass theService to windows.RegisterServiceCtrlHandlerEx
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the dependencies group with 10 updates
4022812 
Bumps the dependencies group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/urfave/cli/v2](https://github.com/urfave/cli) | `2.27.2` | `2.27.3` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.24.0` | `0.25.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.21.0` | `0.22.0` |
| [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) | `1.1.0-alpha.3-proton` | `1.1.0-alpha.5-proton` |
| [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) | `0.2.5` | `0.3.1` |
| [github.com/mattn/go-runewidth](https://github.com/mattn/go-runewidth) | `0.0.15` | `0.0.16` |
| [github.com/skeema/knownhosts](https://github.com/skeema/knownhosts) | `1.2.2` | `1.3.0` |
| [github.com/xrash/smetrics](https://github.com/xrash/smetrics) | `0.0.0-20240312152122-5f08fbb34913` | `0.0.0-20240521201337-686a1a2994c1` |
| [golang.org/x/net](https://github.com/golang/net) | `0.26.0` | `0.27.0` |
| [golang.org/x/sys](https://github.com/golang/sys) | `0.21.0` | `0.22.0` |


Updates `github.com/urfave/cli/v2` from 2.27.2 to 2.27.3
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](urfave/cli@v2.27.2...v2.27.3)

Updates `golang.org/x/crypto` from 0.24.0 to 0.25.0
- [Commits](golang/crypto@v0.24.0...v0.25.0)

Updates `golang.org/x/term` from 0.21.0 to 0.22.0
- [Commits](golang/term@v0.21.0...v0.22.0)

Updates `github.com/ProtonMail/go-crypto` from 1.1.0-alpha.3-proton to 1.1.0-alpha.5-proton
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](ProtonMail/go-crypto@v1.1.0-alpha.3-proton...v1.1.0-alpha.5-proton)

Updates `github.com/cyphar/filepath-securejoin` from 0.2.5 to 0.3.1
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](cyphar/filepath-securejoin@v0.2.5...v0.3.1)

Updates `github.com/mattn/go-runewidth` from 0.0.15 to 0.0.16
- [Commits](mattn/go-runewidth@v0.0.15...v0.0.16)

Updates `github.com/skeema/knownhosts` from 1.2.2 to 1.3.0
- [Commits](skeema/knownhosts@v1.2.2...v1.3.0)

Updates `github.com/xrash/smetrics` from 0.0.0-20240312152122-5f08fbb34913 to 0.0.0-20240521201337-686a1a2994c1
- [Commits](https://github.com/xrash/smetrics/commits)

Updates `golang.org/x/net` from 0.26.0 to 0.27.0
- [Commits](golang/net@v0.26.0...v0.27.0)

Updates `golang.org/x/sys` from 0.21.0 to 0.22.0
- [Commits](golang/sys@v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/mattn/go-runewidth
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/skeema/knownhosts
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/xrash/smetrics
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: golang.org/x/net
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Aug 1, 2024
@dependabot dependabot bot requested a review from EtienneM August 1, 2024 00:16
@github-actions github-actions bot enabled auto-merge August 1, 2024 00:17
@github-actions github-actions bot merged commit 3d7de67 into master Aug 1, 2024
4 checks passed
@github-actions github-actions bot deleted the dependabot/go_modules/dependencies-11c6624656 branch August 1, 2024 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@EtienneM EtienneM Awaiting requested review from EtienneM

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants