Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade: Bump github.com/google/cel-go from 0.21.0 to 0.23.0 #257

Merged
merged 1 commit into from
Jan 27, 2025
Merged

Upgrade: Bump github.com/google/cel-go from 0.21.0 to 0.23.0 #257

merged 1 commit into from
Jan 27, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 27, 2025

Bumps github.com/google/cel-go from 0.21.0 to 0.23.0.

Release notes

Sourced from github.com/google/cel-go's releases.

Release v0.23.0

Features

  • First and last element in list support #1067
  • Add support for typed conformance tests. #1089
  • Add syntax for escaped field selectors. #1002
  • Add optional.unwrap() / .unwrapOpt() function #1103
  • Cost tracking for two-variable comprehensions and bindings #1104

Fixes

PR #1099 enables a change in the internal variable name used for comprehension result accumulation. This change may break some tests which inspect the AST contents in text form; however, will not break any existing uses of CEL during parse, check, or evaluation.

  • Improve policy compiler error message for incompatible outputs. #1082
  • Fix partial evaluation with the comprehension folder objects #1084
  • Introduce versioning options to all extensions #1075
  • Fix a crash in mismatched output check for nested rules #1086
  • improve debug output to properly quote byte strings #1088
  • Fix two-variable comprehension pruning #1083
  • Replace checks for valid UTF-8 in strings with go-maintained calls #1094
  • Policy nested rule fix #1092
  • Address non-const format string lint findings #1096
  • Fix typos in ext/README.md #1098
  • Add option to use inaccessible accumulator var #1097
  • Add test cases for string.format covering various edge cases #1101
  • Add base_config and partial_config files under restricted_destination testdata #1106
  • Default enable using hidden accumulator name #1099
  • Update PruneAst to support constants of optional type #1109

New Contributors

Full Changelog: google/cel-go@v0.22.1...v0.23.0

Release v0.22.1

Fixes

New Contributors

... (truncated)

Commits
  • 2f7606a Cost tracking for two-variable comprehensions and bindings (#1104)
  • 7621362 Add optional.unwrap() / .unwrapOpt() function (#1103)
  • 9f925d8 Bump the npm_and_yarn group across 1 directory with 2 updates (#1110)
  • 91fb306 Update PruneAst to support constants of optional type (#1109)
  • 33a7f97 Default enable using hidden accumulator name. (#1099)
  • ee426f4 Add base_config and partial_config files under restricted_destination testdat...
  • 43bc483 Add test cases for string.format covering various edge cases (#1101)
  • 628543b Fixes for google import. (#1102)
  • fa6eb32 Add option to use inaccessible accumulator var (#1097)
  • 7c5909e Update README.md (#1098)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Upgrade: Bump github.com/google/cel-go from 0.21.0 to 0.23.0
85ca733 
Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.21.0 to 0.23.0.
- [Release notes](https://github.com/google/cel-go/releases)
- [Commits](google/cel-go@v0.21.0...v0.23.0)

---
updated-dependencies:
- dependency-name: github.com/google/cel-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 27, 2025
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The code changes primarily involve updating project dependencies, including upgrading github.com/google/cel-go to version 0.23.0 and adding a new cel.dev/expr package, which can help address potential security vulnerabilities.

Expand for full summary

Summary:

The provided code changes primarily focus on updating the dependencies used in the project. The key changes include:

  1. Upgrading the github.com/google/cel-go dependency from version 0.21.0 to 0.23.0, which is generally a positive change as it can help address known security vulnerabilities.
  2. Adding a new dependency on the cel.dev/expr package, version v0.19.1.
  3. Updating the versions of several other dependencies, such as cloud.google.com/go, github.com/golang/protobuf, and github.com/google/cel-go.

From an application security perspective, these changes are generally positive, as upgrading dependencies to their latest versions can help address known security vulnerabilities. However, it's important to review the release notes and changelogs of the updated dependencies to understand any potential security-related changes or improvements.

Additionally, the introduction of a new dependency should be reviewed carefully to ensure that it is from a trusted source, has a good security track record, and does not introduce any known vulnerabilities. It's also a good practice to periodically review all dependencies in the go.mod and go.sum files and update them to the latest stable versions to help mitigate security risks.

Files Changed:

  • go.mod: This file has been updated to upgrade the github.com/google/cel-go dependency from version 0.21.0 to 0.23.0.
  • go.sum: This file has been updated to include the addition of a new dependency on the cel.dev/expr package, version v0.19.1, as well as updates to the versions of several other dependencies.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

View PR in the DryRun Dashboard.

@santoshkal santoshkal merged commit c804cb2 into pre-main Jan 27, 2025
16 checks passed
@santoshkal santoshkal deleted the dependabot/go_modules/pre-main/github.com/google/cel-go-0.23.0 branch January 27, 2025 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@santoshkal