Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build(deps): Bump golang.org/x/tools from 0.10.0 to 0.11.0 (#466)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/golang/tools/releases">golang.org/x/tools's releases</a>.</em></p> <blockquote> <h2>gopls/v0.11.0</h2> <p>This is a small release containing new integrations of vulnerability analysis.</p> <p>Vulnerability analysis for go.mod files can be enabled by configuring the <a href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck"</code></a> setting to <code>"Imports"</code>. For more information on vulnerability management, see the <a href="https://go.dev/blog/vuln">Vulnerability Management for Go</a> blog post.</p> <h2>Support changes</h2> <p>This release removes support for the <code>"experimentalUseInvalidMetadata"</code> setting, as described in the <a href="https://github.com/golang/tools/releases/tag/gopls%2Fv0.10.0">v0.10.0</a> release. Other settings slated for deprecation in that release remain temporarily supported, but will be removed in v0.12.0.</p> <h2>New Features</h2> <h3>Analyzing dependencies for vulnerabilities</h3> <p>This release offers two different options for detecting vulnerabilities in dependencies. Both are backed by the Go vulnerability database (<a href="https://vuln.go.dev">https://vuln.go.dev</a>) and complement each other.</p> <ul> <li>Imports-based scanning, enabled by the <a href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck": "Imports"</code></a> setting, reports vulnerabilities by scanning the set of packages imported in the workspace. This is fast, but may report more false positives.</li> <li>Integration of the <a href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck">golang.org/x/vuln/cmd/govulncheck</a> command-line tool performs a more precise analysis based on-call graph reachability, with fewer false positives. Because it is slower to compute, it must be manually triggered by using "Run govulncheck to verify" code actions or the <a href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#run-govulncheck"><code>"codelenses.run_govulncheck"</code></a> code lens on <code>go.mod</code> files.</li> </ul> <p><a href="https://user-images.githubusercontent.com/4999471/206977512-a821107d-9ffb-4456-9b27-6a6a4f900ba6.mp4">https://user-images.githubusercontent.com/4999471/206977512-a821107d-9ffb-4456-9b27-6a6a4f900ba6.mp4</a></p> <!-- raw HTML omitted --> <h3>Additional checks for the <code>loopclosure</code> analyzer</h3> <p>The <a href="https://github.com/golang/tools/blob/master/gopls/doc/analyzers.md#loopclosure"><code>loopclosure</code></a> analyzer, which reports problematic references from a nested function to a variable of an enclosing loop, has been improved to catch more cases. In particular, it now reports when subtests <a href="https://pkg.go.dev/testing#T.Parallel">run in parallel</a> with the loop, a mistake that often results in all but the final test case being skipped.</p> <p><img src="https://user-images.githubusercontent.com/57144380/206764370-7fc3c464-af04-4e4e-bb10-a6a0a89a99e3.png" alt="image" /></p> <h2>Configuration changes</h2> <ul> <li>The <a href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck"</code></a> setting controls vulnerability analysis based on the Go vulnerability database. If set to <code>"Imports"</code>, gopls will compute diagnostics related to vulnerabilities in dependencies, and will present them in go.mod files.</li> <li>The <a href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#run-govulncheck"><code>"codelenses.run_govulncheck"</code></a> setting controls the presence of code lenses that run the <a href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck">govulncheck</a> command, which takes longer but produces more accurate vulnerability reporting based on call-graph reachability.</li> </ul> <h2>Bug fixes</h2> <p>This version of gopls includes fixes to several bugs, notably:</p> <ul> <li><code>golang/go#57053</code></li> <li><code>golang/go#55837</code><a href="https://redirect.github.com/golang/go/issues/56450">golang/go#56450</a>).</li> <li><code>golang/go#54816</code></li> </ul> <p>A full list of all issues fixed can be found in the <a href="https://github.com/golang/go/milestone/293?closed=1">gopls/v0.11.0</a> milestone. To report a new problem, please file a new issue at <a href="https://go.dev/issues/new">https://go.dev/issues/new</a>.</p> <h2>Thank you to our contributors</h2> <p><a href="https://github.com/Arsen6331"><code>@Arsen6331</code></a>, <a href="https://github.com/SN9NV"><code>@SN9NV</code></a>, <a href="https://github.com/adonovan"><code>@adonovan</code></a>, <a href="https://github.com/bcmills"><code>@bcmills</code></a>, <a href="https://github.com/dle8"><code>@dle8</code></a>, <a href="https://github.com/findleyr"><code>@findleyr</code></a>, <a href="https://github.com/hyangah"><code>@hyangah</code></a>, <a href="https://github.com/pjweinbgo"><code>@pjweinbgo</code></a>, <a href="https://github.com/suzmue"><code>@suzmue</code></a></p> <h2>gopls/v0.10.1</h2> <p>This release contains a fix for <a href="https://redirect.github.com/golang/go/issues/56505">golang/go#56505</a>: a new crash during method completion on variables of type <code>*error</code>.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/tools/commit/675bf3c243d60cbba429fad9924e520e8a86074f"><code>675bf3c</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/tools/commit/ad52c1ca35fb661c53eedbdee5f3b0e3c33e54e1"><code>ad52c1c</code></a> go/ssa/interp: support conversions to slices of named bytes</li> <li><a href="https://github.com/golang/tools/commit/14ec3c023fa0003b489ce1abe0484924ea5276f8"><code>14ec3c0</code></a> gopls/doc/contributing.md: document error handling strategies</li> <li><a href="https://github.com/golang/tools/commit/c4953641676aa4639fcbd2ca825c43cedeaa9e8c"><code>c495364</code></a> go/packages/gopackages: document -mode flag</li> <li><a href="https://github.com/golang/tools/commit/87ad891fe35467be3d692a3f37fef9fb5cb08dcd"><code>87ad891</code></a> gopls/internal/lsp/source/typerefs: move test into _test.go</li> <li><a href="https://github.com/golang/tools/commit/27fd94e099b2bbd4c660f0b140af121af9a943c8"><code>27fd94e</code></a> internal/fastwalk: doc formatting fixes (including godoc links)</li> <li><a href="https://github.com/golang/tools/commit/d362be0cdb73ca5215ecaaf1514120c6b8b955e9"><code>d362be0</code></a> gopls/internal/lsp/filecache: reduce GC frequency</li> <li><a href="https://github.com/golang/tools/commit/969078be460fb5efe195a1d4c69e3701298e9a21"><code>969078b</code></a> Revert "go/analysis: add Sizes that matches gc size computations"</li> <li><a href="https://github.com/golang/tools/commit/5aa6acb96f843a0257c5c1c0e52753bcd18b77b3"><code>5aa6acb</code></a> go/analysis: add Sizes that matches gc size computations</li> <li><a href="https://github.com/golang/tools/commit/5a89a3bf267ef12790327b8692c88654845bc78d"><code>5a89a3b</code></a> go/vcs: delete</li> <li>Additional commits viewable in <a href="https://github.com/golang/tools/compare/v0.10.0...v0.11.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
ad37f4f
commit a8b32f9