Skip to content

bump: go and go-getter versions #26713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 8, 2025
Merged

bump: go and go-getter versions #26713

merged 2 commits into from
Sep 8, 2025

Conversation

@dduzgun-security
Copy link
Collaborator

@dduzgun-security dduzgun-security commented Sep 5, 2025

Description

  • Pick up the Go toolchain update for 1.24.7. Resolves CVE-2025-47910 vulnerability in net/http CrossOriginProtection.AddInsecureBypassPattern option.
  • Bump go-getter to v1.8.0 which now uses aws-sdk-go (v2).

Testing & Reproduction steps

Links

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.
  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

@dduzgun-security dduzgun-security requested review from a team as code owners September 5, 2025 21:55
pkazmierczak
pkazmierczak approved these changes Sep 8, 2025
View reviewed changes
Copy link
Contributor

@pkazmierczak pkazmierczak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @dduzgun-security! Let's make sure this gets backported, too.

@dduzgun-security dduzgun-security self-assigned this Sep 8, 2025
@dduzgun-security dduzgun-security added theme/dependencies Pull requests that update a dependency file backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.9.x+ent Changes are backported to 1.9.x+ent backport/1.10.x backport to 1.10.x release line labels Sep 8, 2025
@dduzgun-security dduzgun-security merged commit 8a96929 into main Sep 8, 2025
50 checks passed
@dduzgun-security dduzgun-security deleted the bump/go-and-go-getter branch September 8, 2025 15:10
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Sep 8, 2025
Merged
7 tasks
dduzgun-security added a commit that referenced this pull request Sep 8, 2025
@dduzgun-security
bump: go and go-getter versions (#26713)
db783fc
dduzgun-security added a commit that referenced this pull request Sep 8, 2025
@hc-github-team-nomad-core @dduzgun-security
Backport of bump: go and go-getter versions into release/1.10.x (#26722)
498b820 
* no-op commit due to failed cherry-picking

* bump: go and go-getter versions (#26713)

---------

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
tgross added a commit that referenced this pull request Sep 8, 2025
@tgross
Revert "bump: go and go-getter versions (#26713)"
7438a67 
This reverts commit 8a96929.
@tgross tgross mentioned this pull request Sep 8, 2025
Merged
tgross added a commit that referenced this pull request Sep 9, 2025
@tgross
Revert go-getter update (#26731)
0b69999 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Sep 9, 2025
Merged
tgross added a commit that referenced this pull request Sep 9, 2025
@tgross
Revert go-getter update (#26731)
c805733 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.
tgross added a commit that referenced this pull request Sep 9, 2025
@hc-github-team-nomad-core @tgross
Backport of: Revert go-getter update (#26731) (#26739)
6d6d045 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.

Co-authored-by: Tim Gross <tgross@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pkazmierczak pkazmierczak pkazmierczak approved these changes

Assignees

@dduzgun-security dduzgun-security

Labels

backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.9.x+ent Changes are backported to 1.9.x+ent backport/1.10.x backport to 1.10.x release line theme/dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dduzgun-security @pkazmierczak