Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump go-libp2p #585

Closed
wants to merge 1 commit into from
Closed

Bump go-libp2p #585

wants to merge 1 commit into from

Conversation

jimmykarily
Copy link

Trying to fix tests from this PR: #584

@mudler
Copy link

mudler commented Dec 6, 2024
edited
Loading

👋 @vyzo @marten-seemann maybe you guys can help here in the reviews? context: go1.22 is affected by CVEs (https://osv.dev/vulnerability/GO-2024-3302) quic-go/quic-go#4729

Thank you in advance ! 🙇

marten-seemann
marten-seemann requested changes Dec 6, 2024
View reviewed changes
Copy link
Contributor

@marten-seemann marten-seemann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misleading PR title. This is NOT fixing a test. It's simply bumping some deps.

go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
@jimmykarily
Copy link
Author

Misleading PR title. This is NOT fixing a test. It's simply bumping some deps.

The title refers to the tests failing on this PR: #584

@jimmykarily
Bump go-libp2p
2ed6398 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily jimmykarily force-pushed the dependabot/go_modules/github.com/quic-go/quic-go-0.48.2 branch from a7832e1 to 2ed6398 Compare December 6, 2024 09:00
@jimmykarily
Copy link
Author

Misleading PR title. This is NOT fixing a test. It's simply bumping some deps.

The title refers to the tests failing on this PR: #584

Reworded the commit message to make more sense after merging

@jimmykarily jimmykarily changed the title Fix tests Bump go-libp2p Dec 6, 2024
@vyzo
Copy link
Collaborator

vyzo commented Dec 6, 2024
edited
Loading

What exactly is the issue?

We usually bump go-libp2p only when there are breaking changes, the idea is not to force any particular version and make sure latest works. We do that as matter of policy because upgrading libp2p in upstream projects is kind of a big deal.

Having said that, if there is a good reason for the bump, sure lets do it.

@vyzo
Copy link
Collaborator

vyzo commented Dec 6, 2024

the right way to do this is with a pr directly to master, dependabot can rebase.

@marten-seemann
Copy link
Contributor

The quic-go vulnerability only shows up because quic-go is imported by go-libp2p.

@jimmykarily
Copy link
Author

the right way to do this is with a pr directly to master, dependabot can rebase.

I don't see any difference but I can change it if you prefer that

@jimmykarily jimmykarily mentioned this pull request Dec 9, 2024
Closed
@jimmykarily
Copy link
Author

the right way to do this is with a pr directly to master, dependabot can rebase.

I don't see any difference but I can change it if you prefer that

done: #586

@jimmykarily jimmykarily closed this Dec 9, 2024
@jimmykarily jimmykarily deleted the dependabot/go_modules/github.com/quic-go/quic-go-0.48.2 branch December 9, 2024 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marten-seemann marten-seemann marten-seemann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jimmykarily @mudler @vyzo @marten-seemann