Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: update dependencies for all modules #7624

Merged
merged 1 commit into from
Sep 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/protoc-gen-go-grpc/go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module google.golang.org/grpc/cmd/protoc-gen-go-grpc

go 1.21
go 1.22.7
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to specify a patch version here? Or is this just what go get go@1.22 does?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the default behaviour when running go get go@1.22 && go mod tidy. This change seems to be introduced in the Go toolchain since 1.21: https://tip.golang.org/doc/go1.21#tools

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue with specifying the patch version that is not 0 is that now all modules that import this module will have to use this or a newer version. There may be reasons people don't or cannot use the more recent patch version. FWIW I think a library shouldn't have an opinion on the patch version used.

An example of this - we use https://github.com/golang-fips/go/ to provide FIPS-compatible builds. Not all Go versions may be available there e.g. right now there is no 1.23.2. Go 1.22.7 was released 2024-09-05 but FIPS version was tagged 2024-09-27. If grpc-go released a CVE fix in the window of those 22 days, we wouldn't have been able to upgrade.

TL;DR this doesn't benefit grpc-go in any way but might hurt your users.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the dependencies for grpc-go are bumped to the latest versions soon after a release branch is cut. If any dependency specifies a patch version > 0, grpc-go will also need to specify at least that version.

There are some measures preventing the example scenario mentioned above:

  1. Once the Go version is bumped, the change will enter the first release branch after roughly 6 weeks.
  2. grpc-go does patch releases for recent minor versions. So the security patch would be applied to older releases as well. Older grpc-go releases would be using an older version of Go.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If any dependency specifies a patch version > 0, grpc-go will also need to specify at least that version.

I understand. This is not under your control, of course. Is this actually happening?

There are some measures preventing the example scenario mentioned above:

Yes. But then I also cannot use the latest version some times.

I can only repeat what I've said already - this doesn't benefit grpc-go in any way but might hurt your users.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree completely with @ash2k. Upgrading the toolchain involves a lot of testing. This library (or any other) should not force patch versions. I think it was a mistake the Go authors even introduced that concept.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed with other maintainers and we decided to remove the go minor versions: #7831

Copy link

@matthewhartstonge matthewhartstonge Nov 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol good call. 👍
Our CI last night saw red across all our microservices via dependabot updates. 😅

Are we able to get a patch release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't plan to do a patch release for this change alone. If there are bugs discovered in 1.68.0, we may cherry-pick the change into the next patch release.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How often are minor versions created (ie. is there a v1.69.0 in the works)? If there are no plans for a v1.69.0, and let's say there happen to be 0 bugs nor vulnerabilities in 1.68.0, then people who cannot use go1.22.7 would not be able to use v1.68.0.

If there are plans to get a v1.69.0 out sometime in the near future, then not backporting this fix into v1.68 isn't a huge deal. If there are no plans, then I think this, alone, is worth backporting into v1.68.1 so people can use it.


require (
google.golang.org/grpc v1.65.0
Expand Down
80 changes: 40 additions & 40 deletions examples/go.mod
Original file line number Diff line number Diff line change
@@ -1,45 +1,45 @@
module google.golang.org/grpc/examples

go 1.21
go 1.22.7

require (
github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20
github.com/prometheus/client_golang v1.20.0
go.opentelemetry.io/otel/exporters/prometheus v0.50.0
go.opentelemetry.io/otel/sdk/metric v1.28.0
golang.org/x/oauth2 v0.22.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142
google.golang.org/grpc v1.66.0
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78
github.com/prometheus/client_golang v1.20.3
go.opentelemetry.io/otel/exporters/prometheus v0.52.0
go.opentelemetry.io/otel/sdk/metric v1.30.0
golang.org/x/oauth2 v0.23.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
google.golang.org/grpc v1.66.2
google.golang.org/grpc/gcp/observability v1.0.1
google.golang.org/grpc/security/advancedtls v1.0.0
google.golang.org/grpc/stats/opentelemetry v0.0.0-20240816220358-f8d98a477c22
google.golang.org/grpc/stats/opentelemetry v0.0.0-20240912061038-b6fde8cdd1c0
google.golang.org/protobuf v1.34.2
)

require (
cel.dev/expr v0.16.0 // indirect
cel.dev/expr v0.16.1 // indirect
cloud.google.com/go v0.115.1 // indirect
cloud.google.com/go/auth v0.8.1 // indirect
cloud.google.com/go/auth v0.9.4 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
cloud.google.com/go/compute/metadata v0.5.0 // indirect
cloud.google.com/go/logging v1.11.0 // indirect
cloud.google.com/go/longrunning v0.5.12 // indirect
cloud.google.com/go/monitoring v1.20.4 // indirect
cloud.google.com/go/trace v1.10.12 // indirect
cloud.google.com/go/longrunning v0.6.0 // indirect
cloud.google.com/go/monitoring v1.21.0 // indirect
cloud.google.com/go/trace v1.11.0 // indirect
contrib.go.opencensus.io/exporter/stackdriver v0.13.15-0.20230702191903-2de6d2748484 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.28 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
github.com/aws/smithy-go v1.20.4 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
Expand All @@ -53,31 +53,31 @@ require (
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.13.0 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/common v0.59.1 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.28.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/sdk v1.28.0 // indirect
go.opentelemetry.io/otel/trace v1.28.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/net v0.28.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.30.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
go.opentelemetry.io/otel v1.30.0 // indirect
go.opentelemetry.io/otel/metric v1.30.0 // indirect
go.opentelemetry.io/otel/sdk v1.30.0 // indirect
go.opentelemetry.io/otel/trace v1.30.0 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/net v0.29.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.24.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/text v0.18.0 // indirect
golang.org/x/time v0.6.0 // indirect
google.golang.org/api v0.192.0 // indirect
google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
google.golang.org/api v0.197.0 // indirect
google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
google.golang.org/grpc/stats/opencensus v1.0.0 // indirect
)

Expand Down
Loading