Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update go dependency #304

Merged
merged 10 commits into from
Nov 7, 2023
Merged

update go dependency #304

merged 10 commits into from
Nov 7, 2023

Conversation

rabbitprincess
Copy link
Member

@rabbitprincess rabbitprincess commented Oct 30, 2023
edited
Loading

What is changed?

update dependency to solve vulnerability issues ( CVE-2023-44487 )

Done

  • google.golang.org/grpc
  • github.com/improbable-eng/grpc-web
  • golang.org/x/crypto, /x/net

#286, #301

TODO

  • github.com/btcsuite/btcd
  • github.com/libp2p/go-libp2p

#242, #273

@rabbitprincess rabbitprincess added dependencies Pull requests that update a dependency file check hardfork Run sync test with the PR labels Oct 30, 2023
@kroggen kroggen changed the title Topic/update go dependency update go dependency Oct 30, 2023
@kroggen
Copy link
Member

kroggen commented Oct 30, 2023
edited
Loading

I implemented the replacement of btcd/btcec with dcrec/secp256k1

You can review the changes here

If you think they are OK, you can move the commit to this branch using this:

git fetch
git checkout topic/update-go-dependency
git merge topic/update-secp256k1

The go.mod is now referencing the btcd as an indirect dependency, probably because libp2p is not updated yet. Once you update it, the indirect dependency may be removed

@kroggen
Copy link
Member

kroggen commented Oct 31, 2023

@gokch
When you edit the title or the first comment, it will trigger a new run of CI workflow.
(it run 4 times yesterday, ~18 minutes each)
You can click on the "Actions" tab above, then select the run and "Cancel Job" to avoid running unnecessary duplicate CI jobs

@rabbitprincess
Copy link
Member Author

rabbitprincess commented Nov 1, 2023
edited
Loading

I implemented the replacement of btcd/btcec with dcrec/secp256k1

You can review the changes here

If you think they are OK, you can move the commit to this branch using this:

git fetch
git checkout topic/update-go-dependency
git merge topic/update-secp256k1

The go.mod is now referencing the btcd as an indirect dependency, probably because libp2p is not updated yet. Once you update it, the indirect dependency may be removed

Good. but if not update libp2p dependency, it will be using a different secp256k1 library between account / libp2p.
I expect it is no problem, but it safer not to update now.

It seems better to update at the same time when libp2p is updated. ( @sg31park work on it. )

@kroggen
Copy link
Member

kroggen commented Nov 1, 2023

Oh, I thougth that libp2p would be updated within this PR, because of the checkboxes above

@kslee8282
Copy link
Member

sync success

@kslee8282 kslee8282 added the pass sync test The PR can be merged label Nov 7, 2023
hayarobi
hayarobi approved these changes Nov 7, 2023
View reviewed changes
Copy link
Member

@hayarobi hayarobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rabbitprincess rabbitprincess merged commit 3662150 into develop Nov 7, 2023
3 checks passed
@hayarobi hayarobi deleted the topic/update-go-dependency branch January 18, 2025 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hayarobi hayarobi hayarobi approved these changes

@kroggen kroggen Awaiting requested review from kroggen

Assignees
No one assigned
Labels
check hardfork Run sync test with the PR dependencies Pull requests that update a dependency file pass sync test The PR can be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rabbitprincess @kroggen @kslee8282 @hayarobi