Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: upgrade Go version to 1.23.6 to avoid vulnerability #21929

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: upgrade Go version to 1.23.6 to avoid vulnerability #21929

wants to merge 1 commit into from
+8 −6

Conversation

sivchari
Copy link
Contributor

close #21927

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@sivchari
upgrade Go version to 1.23.6 to avoid vulnerability
5dea2f4 
Signed-off-by: sivchari <shibuuuu5@gmail.com>
@sivchari sivchari requested review from a team as code owners February 21, 2025 02:21
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Feb 21, 2025
edited
Loading

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@sivchari sivchari mentioned this pull request Feb 21, 2025
Open
14 tasks
@sivchari sivchari changed the title upgrade Go version to 1.23.6 to avoid vulnerability feat: upgrade Go version to 1.23.6 to avoid vulnerability Feb 21, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 21, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.71%. Comparing base (7870200) to head (5dea2f4).
Report is 16 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #21929      +/-   ##
==========================================
+ Coverage   53.83%   55.71%   +1.87%     
==========================================
  Files         341      341              
  Lines       57004    57004              
==========================================
+ Hits        30689    31757    +1068     
+ Misses      23720    22600    -1120     
- Partials     2595     2647      +52

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

rumstead
rumstead reviewed Feb 21, 2025
View reviewed changes
go.mod
@@ -2,6 +2,8 @@ module github.com/argoproj/argo-cd/v3

go 1.22.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason to not change the version here as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid CVE, we can only take care of the Go version used in this repository. The minimum Go version that ArgoCD repository requires is determined by Go toolchain directive. Go directive is a minimum version used by other modules when these try to build within the dependency of ArgoCD. Go1.22 is the version which Go team sill supports since Go1.22 is responsible for compiler #ref.
So I don't change the Go version.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a PR open to bump the go version. I haven't had time to investigate the failing tests. I think in general, we should just increase the go version & tools. I don't see the need to maintain different toolchain version.

Unless this provides a way for companies to rebuild the container in a easier way once it is released, I think in general we should aim to try to keep master up to date with the latest versions of everything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rumstead rumstead rumstead left review comments

@agaudreault agaudreault agaudreault left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please update to go1.23.6 or higher to cover vulnerabilities.
3 participants
@sivchari @rumstead @agaudreault