spegel/0.0.27-r0: cve remediation #35698
Conversation
![octo-sts[bot]](https://avatars.githubusercontent.com/in/801323?s=60&v=4){kind=small}
|
Gen AI suggestions to solve the build error: • Detected Error: Multiple compilation errors related to quic-go package compatibility, primarily: • Error Category: Dependency Version Incompatibility • Failure Point: go/build step in the pipeline, specifically when compiling dependencies after the version bump • Root Cause Analysis: The requested bump to quic-go v0.48.2 is incompatible with other dependencies, particularly webtransport-go and libp2p, due to breaking API changes in quic-go • Suggested Fix:
pipeline:
- uses: git-checkout
with:
repository: https://github.com/spegel-org/spegel
tag: v${{package.version}}
expected-commit: 9237bce5f337fb5362984b5206f7dfb7fbf3aa5d
# Remove the go/bump step entirely
- uses: go/build
with:
packages: ./
ldflags: "-s -w -extldflags '-static'"
output: spegel• Explanation: The forced bump to quic-go v0.48.2 is breaking compatibility with dependent packages. Removing the explicit version bump will allow Go's module system to resolve to compatible versions automatically based on the go.mod requirements of all dependencies. • Additional Notes:
• References:
|
…st quic-go dependency, which remediates GHSA-px8v-pp82-rcvr. Upstream already made a similar change in main, but its not yet made it into a release. Signed-off-by: Mark McCormick <[email protected]>
octo-sts
bot
added
the
bincapz/pass
Automated commit attempted to bump quic-go dependnecy to remediate GHSA-px8v-pp82-rcvr. However the latest version of quic-go, also required another dependency (go-libp2p) to be upgraded.
The good news, upstream already made similar changes in main as part of: spegel-org/spegel#659, they just haven't made it into a release yet.
spegel/0.0.27-r0: fix GHSA-px8v-pp82-rcvr
Advisory data: https://github.com/wolfi-dev/advisories/blob/main/spegel.advisories.yaml