Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Batched Dependabot updates #28863

Merged
merged 34 commits into from
Jul 10, 2023
Merged

Batched Dependabot updates #28863

merged 34 commits into from
Jul 10, 2023

Conversation

dependabot-batcher[bot]
Copy link
Contributor

@dependabot-batcher dependabot-batcher bot commented Jul 9, 2023
edited by rosstimothy
Loading

This PR was created by the Dependabot Batcher Action by combining the following PRs:

Sun Jul 09 2023

dependabot bot and others added 30 commits July 5, 2023 21:40
@dependabot
Bump @grpc/grpc-js from 1.6.7 to 1.8.8
b660031 
Bumps [@grpc/grpc-js](https://github.com/grpc/grpc-node) from 1.6.7 to 1.8.8.
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/@grpc/grpc-js@1.6.7...@grpc/grpc-js@1.8.8)

---
updated-dependencies:
- dependency-name: "@grpc/grpc-js"
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump google.golang.org/grpc from 1.43.0 to 1.53.0 in /examples/go-client
7f198d0 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.43.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.43.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump google.golang.org/grpc in /examples/desktop-registration
8fca306 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.52.3 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.52.3...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump tough-cookie from 4.1.2 to 4.1.3
b3a6ff1 
Bumps [tough-cookie](https://github.com/salesforce/tough-cookie) from 4.1.2 to 4.1.3.
- [Release notes](https://github.com/salesforce/tough-cookie/releases)
- [Changelog](https://github.com/salesforce/tough-cookie/blob/master/CHANGELOG.md)
- [Commits](salesforce/tough-cookie@v4.1.2...v4.1.3)

---
updated-dependencies:
- dependency-name: tough-cookie
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0
2f5344f 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](golang/oauth2@v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/sashabaranov/go-openai from 1.12.0 to 1.13.0
8b368fc 
Bumps [github.com/sashabaranov/go-openai](https://github.com/sashabaranov/go-openai) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/sashabaranov/go-openai/releases)
- [Commits](sashabaranov/go-openai@v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: github.com/sashabaranov/go-openai
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump k8s.io/apiextensions-apiserver from 0.27.2 to 0.27.3
d86a226 
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.2 to 0.27.3.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.27.2...v0.27.3)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/bufbuild/connect-go from 1.7.0 to 1.9.0
aa077ff 
Bumps [github.com/bufbuild/connect-go](https://github.com/bufbuild/connect-go) from 1.7.0 to 1.9.0.
- [Release notes](https://github.com/bufbuild/connect-go/releases)
- [Commits](bufbuild/connect-go@v1.7.0...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/bufbuild/connect-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.22.0 to 1.23.2
8b102a8 
Bumps [github.com/aws/aws-sdk-go-v2/service/sqs](https://github.com/aws/aws-sdk-go-v2) from 1.22.0 to 1.23.2.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.22.0...service/ecs/v1.23.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sqs
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/aws/aws-sdk-go-v2/service/glue from 1.53.0 to 1.54.0
be4de14 
Bumps [github.com/aws/aws-sdk-go-v2/service/glue](https://github.com/aws/aws-sdk-go-v2) from 1.53.0 to 1.54.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go-v2@service/ec2/v1.53.0...service/ec2/v1.54.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/glue
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.35.0 to 1.36.0
5d4b22c 
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.35.0 to 1.36.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.35.0...service/s3/v1.36.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 in /assets/backport
ab25dba 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](golang/oauth2@v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump cloud.google.com/go/iam from 1.1.0 to 1.1.1
c49cc62 
Bumps [cloud.google.com/go/iam](https://github.com/googleapis/google-cloud-go) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](googleapis/google-cloud-go@dlp/v1.1.0...iam/v1.1.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/iam
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump google.golang.org/grpc from 1.56.1 to 1.56.2 in /api
26bb512 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.1 to 1.56.2.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.56.1...v1.56.2)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 in /build.assets/tooling
b44702f 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](golang/oauth2@v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in /assets/aws
ef7cb89 
Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.102.0 to 1.103.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go-v2@service/ec2/v1.102.0...service/ec2/v1.103.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot-batcher
Merge dependabot/go_modules/assets/aws/github.com/aws/aws-sdk-go-v2/s…
ea26db4 
…ervice/ec2-1.103.0 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/build.assets/tooling/golang.org/x/oauth2-…
37eda61 
…0.10.0 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/api/google.golang.org/grpc-1.56.2 into ba…
02fe5f4 
…tched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/cloud.google.com/go/iam-1.1.1 into batche…
c0af163 
…d-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/assets/backport/golang.org/x/oauth2-0.10.…
cac87d6 
…0 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1…
b135c2f 
….36.0 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/glue…
b2c241c 
…-1.54.0 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/sqs-…
e21c71a 
…1.23.2 into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/github.com/bufbuild/connect-go-1.9.0 into…
1e4d61d 
… batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/k8s.io/apiextensions-apiserver-0.27.3 int…
768c2d6 
…o batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/github.com/sashabaranov/go-openai-1.13.0 …
b29c428 
…into batched-dependabot-updates
@dependabot-batcher
Merge dependabot/go_modules/golang.org/x/oauth2-0.10.0 into batched-d…
adbd74e 
…ependabot-updates
@dependabot-batcher
Merge dependabot/npm_and_yarn/tough-cookie-4.1.3 into batched-dependa…
5528e7f 
…bot-updates
@dependabot-batcher
Merge dependabot/go_modules/examples/desktop-registration/google.gola…
9f5455d 
…ng.org/grpc-1.53.0 into batched-dependabot-updates
@github-actions github-actions bot requested review from jimbishopp and r0mant July 9, 2023 21:06
This was referenced Jul 10, 2023
Closed
Closed
@rosstimothy rosstimothy requested review from codingllama and rosstimothy and removed request for r0mant and jimbishopp July 10, 2023 13:13
rosstimothy
rosstimothy reviewed Jul 10, 2023
View reviewed changes
web/packages/teleterm/package.json
@@ -35,7 +35,7 @@
"@gravitational/build": "^1.0.0",
"@gravitational/design": "1.0.0",
"@gravitational/shared": "1.0.0",
"@grpc/grpc-js": "1.6.7",
"@grpc/grpc-js": "1.8.8",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ravicious @gzdunek will this and the corresponding yarn.lock changes cause any issues?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be fine, I didn't see any breaking changes in the changelog. I also didn't notice any problems when testing locally.

@ravicious
Copy link
Member

Do we typically backport those to all active release branches?

@rosstimothy
Copy link
Contributor

Do we typically backport those to all active release branches?

No. Dependency updates are generally only backported to address a CVE or if they are critical to a feature or fixing a bug.

@codingllama codingllama added this pull request to the merge queue Jul 10, 2023
Merged via the queue into master with commit c6529af Jul 10, 2023
@codingllama codingllama deleted the batched-dependabot-updates branch July 10, 2023 15:25
@jentfoo
Copy link
Contributor

jentfoo commented Jul 10, 2023

@rosstimothy and @codingllama, in this case this update did address a couple CVE's:

Can we get the protobufjs and tough-cookie npm updates backported?

@rosstimothy
Copy link
Contributor

@rosstimothy and @codingllama, in this case this update did address a couple CVE's:

Can we get the protobufjs and tough-cookie npm updates backported?

@jentfoo like with previous CVE updates I would update the dependencies directly on the release branches instead of trying to backport dependatbot PRs. You're likely to have a much easier time that way than trying to resolve any conflicts which may arise from a backport.

@rosstimothy
Copy link
Contributor

@jentfoo see the following for updates to release branches:

@jentfoo
Copy link
Contributor

jentfoo commented Jul 10, 2023

Thank you @rosstimothy! We need to figure out how to automate these still too, but till then I will keep trying to watch for anything slipping through the cracks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gzdunek gzdunek gzdunek left review comments

@codingllama codingllama codingllama approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ravicious @rosstimothy @jentfoo @codingllama @gzdunek