Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32292

Pinned dependency versions are outdated

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • In Progress

      Description of problem:

      To bump some dependencies for CVE fixes, we added `replace` directives in the go.mod file. These dependencies have since moved way past the pinned version.
      We should drop the replaces before we run into problems from having deps pinned to versions that are too old. For example, I've seen PRs with the following diff:
      
      # golang.org/x/net v0.23.0 => golang.org/x/net v0.5.0
      
      which is not really what we want.    

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          always

      Steps to Reproduce:

          1.
          2.
          3.
          

      Actual results:

          Some dependencies are not upgraded because they are pinned.

      Expected results:

          

      Additional info:

          

            rdossant Rafael Fonseca dos Santos
            rdossant Rafael Fonseca dos Santos
            Gaoyun Pei Gaoyun Pei
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: