Install gosec from vendor and pin to 1.3.0 #1502
Conversation
Signed-off-by: Yuri Shkuro <ys@uber.com>
yurishkuro
requested review from
black-adder,
jpkrohling,
objectiser,
pavolloffay,
tiffon and
vprithvi
as code owners
| @@ -124,15 +129,12 @@ required = [ | |||
| unused-packages = true | |||
| [[prune.project]] | |||
| name = "github.com/gogo/protobuf" | |||
| non-go = false | |||
There was a problem hiding this comment.
these were causing dep warnings as redundant
| "github.com/golang/protobuf/protoc-gen-go", | ||
| "github.com/gogo/protobuf/protoc-gen-gogo", | ||
| "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway", | ||
| "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger" | ||
| ] | ||
|
|
||
| [[constraint]] | ||
| name = "github.com/securego/gosec" | ||
| version = "1.3.0" |
There was a problem hiding this comment.
dep will consider this as "^1.3.0" by default. To pin, use "=1.3.0"
There was a problem hiding this comment.
I think it's fine to upgrade when they do new releases, the issue is that today we were pulling master every time. Hopefully numbered releases will be more stable.
There was a problem hiding this comment.
I also expect that this will be removed by dep the next time someone runs update because its not required by the project directly. I suggest adding this as a required package.
See https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md#required
Codecov Report
@@ Coverage Diff @@
## master #1502 +/- ##
=======================================
Coverage 99.81% 99.81%
=======================================
Files 181 181
Lines 8652 8652
=======================================
Hits 8636 8636
Misses 8 8
Partials 8 8Continue to review full report at Codecov.
|
|
@yurishkuro We had the same problem in the operator, but seems like gosec master is back to working now. Not sure if you wanted to revert this change? |
|
I'd prefer they just release a new version. Dep will pick it up on the next --update. |
Resolves #1501