Update Go toolchain, deps, and vendored web assets#812
Open
itsouvalas wants to merge 12 commits intodevelopfrom
Open
Update Go toolchain, deps, and vendored web assets#812itsouvalas wants to merge 12 commits intodevelopfrom
itsouvalas wants to merge 12 commits intodevelopfrom
Conversation
Raise go.mod to go 1.25.5 and drop the toolchain directive. Matches blacksmith and the rest of the long-running studio services. Go 1.25's default go test vet tightens the printf check, flagging 15 call sites with non-constant format strings. Fixed in place to keep the suite green under the new toolchain.
Build image was pinned to golang:1.21-bookworm, four minors behind go.mod. Move to 1.25-bookworm so image and go directive match.
Both images were on bullseye-derived bases. Debian bullseye goes EOL 2026-06; bookworm is current and supported through 2028. Pin the nginx minor (1.27) but let the patch tag float, so security fixes land without a re-bump. Noted: webdav Dockerfile still carries a deprecated MAINTAINER line. Left alone -- cleanup is not in scope for a version bump.
Previous pin (v1.5.0, 2020) predates MySQL 8's caching_sha2_password default auth and carries five years of missed security + compat fixes. Driver is registered via blank import in plugin/mysql/plugin.go; no API surface changes in our caller. filippo.io/edwards25519 appears as an indirect dep because v1.9 added optional support for MariaDB's ed25519 auth plugin -- not something SHIELD enables, but carried along.
Previous pin (v1.14.15, 2022) is pre Go 1.22 compat and carries an older bundled SQLite amalgamation. v1.14.42 is the current v1.14 patch, ships a newer SQLite, and keeps binary layout and the CGo build surface unchanged. SHIELD's internal store uses this driver via database/sql; no API surface changes in callers.
Clears drift on the consul client library -- previous pin (v1.18.0) is from early 2023. Used only by plugin/consul/plugin.go via thin surface: api.NewClient, api.KVPair, api.KV(). No caller changes required. Transitive churn: armon/go-metrics, mapstructure, and go-immutable-radix bump patch/minor; btree and go-msgpack drop out as indirect deps; x/exp appears as new indirect.
Previous pin was an 11-year-old pseudo-version (2015) carrying a documented latent bug: the Organizations.ListUserTeams call behaves incorrectly against modern GitHub per a comment in-code, because that endpoint moved to Teams in go-github v17. v76 is the current major. API surface used is three calls: Users.Get (ctx, username) Organizations.List (ctx, username, opts) Teams.ListUserTeams (ctx, opts) All three now take context as the first arg, and the teams call moved from the Organizations service to Teams. The Client wrapper's exported surface (NewClient, Lookup) is unchanged, so core/auth_provider_github does not need to move. Stale comment referring to the v3/v47 drift is removed -- the underlying bug it described is now fixed.
Bundle of routine refreshes; no API changes in any caller. Per plan matrix: golang.org/x/crypto v0.36.0 -> v0.50.0 golang.org/x/net v0.38.0 -> v0.53.0 golang.org/x/oauth2 v0.30.0 -> v0.36.0 fsouza/go-dockerclient v1.12.1 -> v1.12.4 prometheus/client_golang v1.19.1 -> v1.23.2 x/net is carried as indirect but bumped explicitly alongside x/crypto to keep the security baseline coherent. Transitive churn of note: docker/docker 27 -> 28, klauspost/compress 1.16 -> 1.18, x/sys / x/term / x/text advance to current, protobuf 1.33 -> 1.36, prometheus/common 0.48 -> 0.66, prometheus/procfs 0.12 -> 0.16. moby/go-archive added as a new indirect pulled in by go-dockerclient v1.12.4.
Previous vendored copy was 3.2.1 from 2017, which predates jQuery's 3.5 series -- the one that fixed the HTML-parsing XSS family (CVE-2020-11022 and CVE-2020-11023) triggered via .html() and similar calls on attacker-controlled input. 3.7.1 is the current 3.x release. Minified file dropped in from https://code.jquery.com/ verified against the upstream SRI hash: sha256 fc9a93dd241f6b045cbff0481cf4e1901becd0e1 2fb45166a8f17f95823f0b1a Loaded as <script src="/js/jquery.js"> from index.html; no caller changes needed -- 3.7 keeps the 3.x API surface.
Previous vendored copy was 1.9.0 from 2018. 2.x
landed in 2022 and is the maintained line; 1.x has
not received patches since.
Used in web/htdocs/js/lib.js as:
new showdown.Converter({
omitExtraWLInCodeBlocks, simplifiedAutoLink,
literalMidWordUnderscores, strikethrough,
tables, simpleLineBreaks, openLinksInNewWindow
})
All seven options survive the 1.x -> 2.x jump
unchanged, and makeHtml() is API-stable across
the bump, so no caller changes needed.
Minified 2.1.0 pulled from cdn.jsdelivr.net; sha
cross-checked against unpkg to catch mirror drift:
sha256 88eb6fbbe0c270ddf3384aee0c9620d070e090a2
6e07c67421ae36c903b5d649
Previous vendored copy was 5.3.1 (2018). 6.x is
the current major line; 6.7.2 is the latest free
release.
Runtime usage is narrow: two brand icons only
(fab fa-apple, fab fa-linux) for the CLI download
buttons in index.html. Both icons exist unchanged
in FA6 Free; old class names (fab, fas, far) still
map to the new font-families via the css, so no
markup changes needed.
Bundle pulled from use.fontawesome.com, sha
cross-checked against github.com/FortAwesome:
sha256 ecdaaa6d347cd7da82c66054770995e97f3d066a
57e8d58ac9c517f0f77561fb
Layout mirrors the prior vendoring (css, js,
metadata, sprites, svgs, webfonts) -- upstream's
less and scss source dirs are omitted to match
the existing tree.
Diff is large (~2500 paths touched: added, removed,
byte-different webfonts) but content-neutral for
the two icons actually rendered.
Closes a Snyk advisory (CVSS 6.3) for improper initialization in MultiScalarMult. Indirect dep, pulled in by go-sql-driver/mysql v1.9 for MariaDB ed25519 auth. Not exercised by SHIELD's own code path, but bumped to clear the alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A version-bump pass across SHIELD's Go toolchain, Go module dependencies, vendored
front-end libraries, and Dockerfile bases. Eleven atomic commits, each scoped to a
single concept (Go toolchain | Dockerfile | dep bump | vendored asset).
The only runtime-code change in the entire series is the
lib/github/github.gorewrite for
google/go-githubv0 (2015 pseudo-version) → v76. Everything else isversion pins, vendored assets, or
go.mod/vendor/updates. The wrapper'sexported surface (
NewClient,Lookup) is unchanged, so callers don't move.Commits (11)
toolchaindirective (matches typical Go 1.22+ convention). Bundles 15printf-vet fixes that Go 1.25's stricter default vet surfaces indb/import.go,core/api_v2.go,plugin/docker-postgres/errors.go.filippo.io/edwards25519indirect for optional MariaDB ed25519 auth (not enabled by SHIELD).plugin/consul/plugin.govia thin surface (api.NewClient,api.KVPair,api.KV()); no caller change.ListUserTeamsdrift. The migratedTeams.ListUserTeams(ctx, opts)call (wasOrganizations.ListUserTeams(nil)) now actually works. ~10-line code change inlib/github/github.go.golang.org/x/crypto0.36 → 0.50,x/net0.38 → 0.53,x/oauth20.30 → 0.36,fsouza/go-dockerclient1.12.1 → 1.12.4,prometheus/client_golang1.19 → 1.23. Transitive churn:docker/docker27 → 28,klauspost/compress1.16 → 1.18,protobuf1.33 → 1.36.web/htdocs/js/lib.jssurvive 1.x → 2.x; SHA cross-checked between cdn.jsdelivr.net and unpkg.fab fa-appleandfab fa-linuxused at runtime; both unchanged in FA6. SHA cross-checked between use.fontawesome.com and the GitHub release.Notable decisions
go 1.25.5,toolchaindirective dropped. Withgo 1.25.5as the floor, any installed toolchain ≥ 1.25.5 is auto-selected, so the explicittoolchainline is redundant.github.com/onsi/ginkgoat v1.16.5 andgithub.com/onsi/gomegaat v1.24.2. Ginkgo v1.16.5 is already the final v1 release; the v2 migration is its own breaking-change effort and out of scope for a version-bump PR.fsouza/go-dockerclientstays on the v1.12 line (v1.12.4) deliberately. v1.13 is available but adds API-surface changes worth a dedicated cycle.Smoke testing
Full smoke pass executed against this branch at HEAD
93c1badc. All gating checks GREEN:make buildmake go-testsagent,db,plugin,timespecallokgo vet -mod=vendor ./...develop(db/tenant_test.goself-assignment,plugin/fs/plugin.go:352unreachable) — no new onesmake plugin-testsmake api-testsdocker build -t shield:smoke .FromAsCasingwarning, pre-existingLookup()chain executed:Users.Get,Organizations.List, migratedTeams.ListUserTeams200 OK(advisory)The OAuth row is the only test exercising the rewritten
lib/github/github.go. Shieldd log line confirming the full chain executed:Dependabot status
This branch closes 3 of the 6 open alerts on
develop(#89 docker firewalld LOW, #90/#91 x/crypto MED ssh memory + agent panic).The remaining 3 alerts are not exploitable in SHIELD's posture and are intentionally left for routine future bumps rather than expanding this PR's scope:
show taskoutput should show names instead of UUIDs #92 grpc CRITICAL (google.golang.org/grpc < 1.79.3, server-side authorization-bypass via missing leading slash in:path). SHIELD uses grpc only as a client, transitively viago.etcd.io/etcd/client/v3to talk to etcd. SHIELD does not run grpc servers.shield create storesilently fails #93/shield tasks that cannot start, never leave running #94 docker AuthZ HIGH/MED (docker/docker < 29.3.1, AuthZ plugin bypass / off-by-one). Trigger only when an AuthZ plugin sits in front of the Docker daemon. SHIELD'splugin/docker-postgres/runs no AuthZ plugin layer.Acknowledged gap —
lib/github/test coveragelib/github/has zero unit-test coverage; the only validation of the v76 rewrite is the live OAuth flow above. Worth a follow-up to add mock-HTTP-based unit tests forUsers.Get,Organizations.List, andTeams.ListUserTeamsso future bumps don't require operator-driven OAuth dances.Test plan
Reviewers wanting to reproduce locally:
make clean && make build && make testdocker build -t shield:smoke .init/core, register a throwaway OAuth app on github.com with callbackhttp://localhost:9009/auth/gh/redir, configure the github auth provider, walk the consent screen.