Skip to content

Bump go-libp2p#586

Closed
jimmykarily wants to merge 1 commit into
libp2p:masterfrom
jimmykarily:bump-go-libp2p
Closed

Bump go-libp2p#586
jimmykarily wants to merge 1 commit into
libp2p:masterfrom
jimmykarily:bump-go-libp2p

Conversation

@jimmykarily

Copy link
Copy Markdown

because otherwise, security scanners complain about this:

https://osv.dev/vulnerability/GO-2024-3302

Replaces this PR as per the comment

because otherwise, security scanners complain about this:

https://osv.dev/vulnerability/GO-2024-3302

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily jimmykarily mentioned this pull request Dec 9, 2024
@marten-seemann

Copy link
Copy Markdown
Contributor

Security scanners can be silenced if they produce nonsensical results. And if they can't, they're worthless and should not be taken seriously in the first place.

@jimmykarily

Copy link
Copy Markdown
Author

Security scanners can be silenced if they produce nonsensical results. And if they can't, they're worthless and should not be taken seriously in the first place.

Correct. But what makes you say it's a nonsensical result in this case? Actually, you were the one to provide the fix:

is it not needed?

@marten-seemann

Copy link
Copy Markdown
Contributor

We're going in circles: #585 (comment).

@jimmykarily

Copy link
Copy Markdown
Author

We're going in circles: #585 (comment).

"the idea is not to force any particular version"

How exactly is go-libp2p-pubsub doing this? . The way go dependencies work, this line here makes sure a specific version is being used:

github.com/libp2p/go-libp2p v0.36.3

@marten-seemann

marten-seemann commented Dec 9, 2024

Copy link
Copy Markdown
Contributor

It is NOT necessary to bump dependencies in every single library that is only ever used transitively (like go-libp2p-pubsub, which is only used in conjunction with go-libp2p). Same reason we don't update to the quic-go release in masque-go or webtransport-go: Applications can just update their dependencies. This is the place where security scanners make sense.

I'm going to disengage from this discussion now, and I'll leave it to @vyzo to deal with PR.

@jimmykarily

Copy link
Copy Markdown
Author

You got me reading docs :D (which is a good thing). I guess it's misunderstanding on my side on what go.sum entries mean. Probably the security scan tool makes the same mistake. Feel free to ignore and close this PR.

@marten-seemann

Copy link
Copy Markdown
Contributor

Nope, the scan is technically correct. If you were running go-libp2p-pubsub as a standalone program (which you don't, it's a library!), then you'd include a vulnerable quic-go version. Since go-libp2p-pubsub is always used with go-libp2p, it doesn't really matter if go-libp2p-pubsub specifies an old version, since the version defined by go-libp2p is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants