Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to include security patches reported by dependabot for ecs-init #3277

Merged
merged 1 commit into from
Aug 26, 2022
Merged

Update dependencies to include security patches reported by dependabot for ecs-init #3277

merged 1 commit into from
Aug 26, 2022

Conversation

yinyic
Copy link
Contributor

@yinyic yinyic commented Jun 29, 2022
edited
Loading

Summary

Implementation details

Updated packages called out by dependabot

For amazon-ecs-agent/ecs-init, affected packages are

  1. github.com/opencontainers/runc - upgrade to use 1.1.2
    a. https://github.com/aws/amazon-ecs-agent/security/dependabot/20 requires 1.1.2
    b. https://github.com/aws/amazon-ecs-agent/security/dependabot/19 requires 1.0.0-rc9
    c. https://github.com/aws/amazon-ecs-agent/security/dependabot/18 requires 1.0.3
    d. https://github.com/aws/amazon-ecs-agent/security/dependabot/16 requires 1.0.0-rc91
    e. https://github.com/aws/amazon-ecs-agent/security/dependabot/15 requires 1.0.0-rc95
  2. github.com/opencontainers/image-spec upgrade to use 1.0.2
    a. https://github.com/aws/amazon-ecs-agent/security/dependabot/17 requires 1.0.2
  3. github.com/docker/docker upgrade to use 1.6.1
    a. https://github.com/aws/amazon-ecs-agent/security/dependabot/14 requires 1.6.1
  • Ran go get for all the required package versions
go get github.com/opencontainers/[email protected]
go get github.com/opencontainers/[email protected]
go get github.com/docker/[email protected]

Other deps

Aditionally, update golang.org/x/sys to use v0.0.0-20210615035016-665e8c7367d1 (oldest revision available on the repo page) due to

github.com/aws/amazon-ecs-agent/ecs-init/config imports
	github.com/fsouza/go-dockerclient imports
	github.com/docker/docker/pkg/archive imports
	golang.org/x/sys/execabs: module golang.org/x/sys@latest found (v0.0.0-20220627191245-f75cf1eec38b, replaced by golang.org/x/[email protected]), but does not contain package golang.org/x/sys/execabs

Morever, update github.com/fsouza/go-dockerclient to latest because

go: github.com/aws/amazon-ecs-agent/ecs-init/config imports
	github.com/fsouza/go-dockerclient imports
	github.com/docker/docker/opts imports
	github.com/docker/libnetwork/ipamutils imports
	github.com/docker/libnetwork/osl imports
	github.com/Sirupsen/logrus: github.com/Sirupsen/[email protected]: parsing go.mod:
	module declares its path as: github.com/sirupsen/logrus
	        but was required as: github.com/Sirupsen/logrus

Clean-up

  • Ran go mod tidy to resolve new transitive dependencies
  • Ran go mod vendor to update vendor directory

Testing

New tests cover the changes: no

Verified with make generic-rpm-integrated

...
+ cd /home/yinyic/go/src/github.com/aws/amazon-ecs-agent/BUILD
+ cd amazon-ecs-init-1.62.2
+ /usr/bin/rm -rf /home/yinyic/go/src/github.com/aws/amazon-ecs-agent/BUILDROOT/amazon-ecs-init-1.62.2-1.x86_64
+ exit 0
find RPMS/ -type f -exec cp {} . \;
touch .generic-rpm-integrated-done

Description for the changelog

Update dependencies to include security patches reported by dependabot for ecs-init

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

fierlion
fierlion previously approved these changes Jun 30, 2022
View reviewed changes
Copy link
Member

@fierlion fierlion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

glad to see the testing done. Thanks for this thorough work!

chienhanlin
chienhanlin previously approved these changes Jun 30, 2022
View reviewed changes
@yinyic yinyic dismissed stale reviews from chienhanlin and fierlion via 8218f58 August 24, 2022 20:50
@yinyic yinyic force-pushed the dependabot-ecs-init branch from 0676a39 to 8218f58 Compare August 24, 2022 20:50
@yinyic yinyic merged commit f4ca59d into aws:dev Aug 26, 2022
@yinyic yinyic changed the title Update dependencies to include security patches reported by dependabot Update dependencies to include security patches reported by dependabot for ecs-init Aug 27, 2022
@chienhanlin chienhanlin mentioned this pull request Sep 6, 2022
Merged
chienhanlin pushed a commit that referenced this pull request Sep 6, 2022
@yinyic @chienhanlin
Update dependencies to include security patches reported by dependabot (
dec1c2d 
#3277)
yinyic added a commit to yinyic/amazon-ecs-agent that referenced this pull request Sep 8, 2022
@yinyic
Revert "Update dependencies to include security patches reported by d…
0c0f9b7 
…ependabot (aws#3277)"

This reverts commit dec1c2d.
yinyic pushed a commit to yinyic/amazon-ecs-agent that referenced this pull request Sep 9, 2022
Revert "Update dependencies to include security patches reported by d…
6e3ede7 
…ependabot (aws#3277)"

This reverts commit f4ca59d.
yinyic pushed a commit to yinyic/amazon-ecs-agent that referenced this pull request Sep 12, 2022
Revert "Update dependencies to include security patches reported by d…
0be4d2e 
…ependabot (aws#3277)"

This reverts commit f4ca59d.
@yinyic yinyic mentioned this pull request Sep 12, 2022
Merged
yinyic added a commit that referenced this pull request Sep 12, 2022
@yinyic
Dependabot ecs-init fix (#3388)
6d031da 
* Revert "Update dependencies to include security patches reported by dependabot (#3277)"

This reverts commit f4ca59d.

* Revert some unnecessary dependabot upgrades

Co-authored-by: Yinyi Chen <[email protected]>
chienhanlin pushed a commit that referenced this pull request Sep 12, 2022
@yinyic @chienhanlin
Dependabot ecs-init fix (#3388)
7347b50 
* Revert "Update dependencies to include security patches reported by dependabot (#3277)"

This reverts commit f4ca59d.

* Revert some unnecessary dependabot upgrades

Co-authored-by: Yinyi Chen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chienhanlin chienhanlin chienhanlin approved these changes

@singholt singholt singholt approved these changes

@fierlion fierlion fierlion left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yinyic @fierlion @singholt @chienhanlin @amazon-ecs-bot