Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace whilp/git-urls module by chainguard-dev/git-urls #664

Merged
merged 1 commit into from
Dec 6, 2023
Merged

Replace whilp/git-urls module by chainguard-dev/git-urls #664

merged 1 commit into from
Dec 6, 2023

Conversation

hectorj2f
Copy link
Contributor

We discovered a vulnerability on the module github.com/whilp/git-urls GHSA-3f2q-6294-fmq5. This repository doesn't look to be maintained at this moment. That is why we decided to fix the vulnerability and move the repository over our organization. We plan to maintain this repository in the future.

hiddeco
hiddeco reviewed Dec 5, 2023
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hard coded limit in this project is less than our own limit of 2048, which we already enforced in #654 (and in the further validation of the URL field within the API object itself).

Given this, we can not just merge this without it breaking backwards compatibility with existing validation rules (which arguably are too wide, but I have seen weird URLs in corporate environments).

@hectorj2f
Copy link
Contributor Author

@hiddeco I don't see why we couldn't bump that limit to 2048 on our side. Let me handle that change and publish a new release.

@hectorj2f hectorj2f requested a review from hiddeco December 5, 2023 23:59
hiddeco
hiddeco approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merci beaucoup @hectorj2f! 🙇

@stefanprodan
Copy link
Member

@hectorj2f can you please run make tidy and force push the changes, this will trim go.sum and fix the CI.

@stefanprodan stefanprodan added the dependencies Pull requests that update a dependency label Dec 6, 2023
makkes
makkes approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@makkes makkes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Hector!

@hiddeco hiddeco force-pushed the replace_go_module branch 2 times, most recently from e9ca446 to befca49 Compare December 6, 2023 08:20
@hiddeco hiddeco added the backport:release/v1.2.x To be backported to release/v1.2.x label Dec 6, 2023
@hiddeco hiddeco merged commit 9f90225 into fluxcd:main Dec 6, 2023
7 checks passed
@fluxcdbot
Copy link
Member

Successfully created backport PR for release/v1.2.x:

@fluxcdbot fluxcdbot mentioned this pull request Dec 6, 2023
Merged
@hectorj2f
Copy link
Contributor Author

Thanks for the reviews!

@hectorj2f hectorj2f deleted the replace_go_module branch December 6, 2023 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

@cpanato cpanato cpanato approved these changes

@makkes makkes makkes approved these changes

Assignees
No one assigned
Labels
backport:release/v1.2.x To be backported to release/v1.2.x dependencies Pull requests that update a dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@hectorj2f @stefanprodan @fluxcdbot @makkes @cpanato @hiddeco