deps: update golang.org/x/net to latest in all modules #5847
Conversation
| @@ -17,5 +17,6 @@ require ( | |||
| github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect | |||
| github.com/golang/protobuf v1.5.2 // indirect | |||
| github.com/stoewer/go-strcase v1.2.0 // indirect | |||
| golang.org/x/text v0.3.7 // indirect | |||
| golang.org/x/net v0.4.0 // indirect | |||
There was a problem hiding this comment.
are we adding golang.org/x/net as a dependency for the new v0.5.0 for golang.org/x/text?
There was a problem hiding this comment.
Interesting. TBH I just blindly did go get ..x/net and assumed go mod tidy would remove it if it wasn't needed by anything in practice. These are indirect dependencies, meaning something we depend on apparently depends on it. It seems like a good idea to bump it, too, in case they didn't, and in case it matters.
There was a problem hiding this comment.
The golang.org/x/ projects started to tag "SemVer®" releases, erm.. by not really following SemVer, but just tagging new releases periodically (CalVer disguising as SemVer?); well, mostly because they have circular dependencies; see golang/go#48523
| @@ -8,6 +8,7 @@ require ( | |||
| github.com/golang/protobuf v1.5.2 | |||
| golang.org/x/exp/typeparams v0.0.0-20221114191408-850992195362 // indirect | |||
| golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 | |||
| golang.org/x/sys v0.3.0 // indirect | |||
There was a problem hiding this comment.
same question here. Are we adding this import because its required for the upgrade?
Bumping this to stay on top of any potential critical issues. There is a known CVE with the older version, which does not directly affect us, but it seems like a good idea to update anyway. @ejona86
RELEASE NOTES: none