Commit Graph

26 Commits

Author SHA1 Message Date
Will Jones 486a10e677
Regenerate test `package-lock.json` files ()
Many of our tests test JavaScript/TypeScript behaviour and thus rely on
`package.json` files specifying dependencies and `package-lock.json`
files pinning those dependencies. While the dependencies we use in our
tests are minimal and their bounds haven't changed (nor maybe have much
reason to change), the transitive dependency set is potentially large
and worth keeping up-to-date (e.g. for security reasons, or just keeping
Dependabot happy). This commit thus regenerates all the
`package-lock.json` files associated with tests that Dependabot has
previously recommended we bump.

* Closes 
* Closes 
* Closes  
* Closes  
* Closes  
* Closes  
* Closes  
* Closes 
* Closes  
* Closes 
* Closes  
* Closes 
* Closes  
* Closes  
* Closes 
2024-06-13 10:52:59 +00:00
Fraser Waters 72bddd809f
Update github.com/cloudflare/circl to v1.3.7 ()
<!--- 
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->

# Description

<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->

Dependabot updated some references to this in
https://github.com/pulumi/pulumi/pull/15131. But missed a lot,
importantly it didn't update pkg or sdk which are the most important
modules in this repo.


## Checklist

- [x] I have run `make tidy` to update any new dependencies
- [ ] I have run `make lint` to verify my code passes the lint check
  - [ ] I have formatted my code using `gofumpt`

<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!--- 
User-facing changes require a CHANGELOG entry.
-->
- [x] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-01-16 08:59:57 +00:00
Justin Van Patten 37e6ad44d0
Upgrade go-git to v5.11.0 ()
Bumps github.com/go-git/go-git/v5 to 5.11.0 to address
https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r

Co-authored-by: Roy Reznik <roy@wiz.io>
2024-01-02 18:41:06 +00:00
Justin Van Patten 53244f09ae
Bump golang.org/x/crypto to 0.17.0 ()
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) to 0.17.0.

Replaces all the dependabot PRs in the repo with this single PR.

Also bumped `github.com/pulumi/pulumi/sdk/v3` in
`tests/integration/transformations/go/simple/go.mod` from v3.97.0 to
v3.98.0 to use esc v0.6.1, and avoid the appdash issue.
2023-12-20 09:14:29 +00:00
Justin Van Patten 7f2555444d
bump google.golang.org/grpc from 1.57.0 to 1.57.1 ()
This PR replaces all the dependabot PRs with a single commit that
updates all relevant go.mod files.

This resolves a high severity dependabot alert.
2023-10-28 15:56:28 +00:00
Justin Van Patten 86eee44bf8
bump golang.org/x/net from 0.10.0 to 0.17.0 ()
This PR replaces all the dependabot PRs with a single commit that
updates all relevant go.mod files.

This resolves 3 Dependabot alerts on golang.org/x/net including a
moderate severity alert.
2023-10-20 18:36:16 +00:00
Abhinav Gupta 91a079851b
deps: Upgrade google.golang.org/{genproto, grpc}
Updates to the latest versions of
google.golang.org/genproto and google.golang.org/grpc
in all submodules in the repository.

This is necessary because in a recent change,
genproto split out some of its subpackages into independent submodules.
(https://github.com/googleapis/go-genproto/issues/1015)

As a result of this, some users may see the error:

```
google.golang.org/genproto/googleapis/rpc/status: ambiguous import: found package google.golang.org/genproto/googleapis/rpc/status in multiple modules:
    google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 (/home/runner/go/pkg/mod/google.golang.org/genproto@v0.0.0-20230410155749-daa745c078e1/googleapis/rpc/status)
    google.golang.org/genproto/googleapis/rpc v0.0.0-20230725213213-b022f6e96895
```

Because pu/pu is using 20230410155749,
which has googleapis/rpc as a subpackage,
but another dependency references the independent submodule (20230725213213),
so the system doesn't know which module to use for the import path,
google.golang.org/genproto/googleapis/rpc/status.

This is a problem for codegen tests and ProgramTest-based tests
for Pulumi Go programs that do not have a go.mod in the test directory.
This issue was encountered by @thomas11 while attempting to upgrade
dependencies in pulumi-docker ().

The grpc upgrade is necessary because the current version of grpc
also pulls the outdated version of genproto.
2023-07-27 16:24:33 -07:00
Abhinav Gupta f59ab49fc5
deps(go): Upgrade to grpc 1.56.1
Upgrades to gRPC Go 1.56.1 to resolve the influx of dependabot PRs.
Supersedes all dependabot PRs created for this.

Fixes CVE-2023-32731
2023-07-06 09:04:16 -07:00
Justin Van Patten 16db89deda Bump semver and @pulumi/pulumi 2023-06-24 13:53:19 -07:00
Abhinav Gupta 52a47d6295
all: cloudflare/circl 1.1.0 => 1.3.3
Upgrade version of cloudflare/circl to pick up important fixes
and supersede a bunch of dependabot PRs.

Addresses CVE-2023-1732
2023-05-11 13:51:01 -07:00
Kyle Dixler 3af78f9ca7
Bump go-git to v5.6.0 to remove cgo dependency fixing
pulumi-docker-containers builds.
2023-02-28 16:01:31 -08:00
Abhinav Gupta 8614885326
all(go.mod): Upgrade golang.org/x/net to v0.7.0
Upgrades all go.mod files to v0.7.0 of golang.org/x/net.
This will take care of the disparate dependabot updates we're receiving
for these files.

See also https://github.com/pulumi/pulumi/security/dependabot/151

Refs CVE-2022-41723
2023-02-17 11:06:15 -08:00
Guillaume Truchot de868c8be3
chore: update `net` package to fix CVE-2022-27664
Upgrades golang.org/x/net to v0.5.0.
This addresses CVE-2022-27664
and switches to semver-ed releases of the package.
2023-02-08 12:32:32 -08:00
Anton Tayanovskyy af937ec2b9
Revert "Update Pulumi codegen to net6.0" 2023-01-10 09:12:56 -08:00
Fraser Waters 0c38cb69dd Update Pulumi codegen to net6.0
.NET Core 3.1 is out of support on December 13th:
https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core

We've already stopped testing on .NET Core 3.1, and program gen has been
targetting only 6.0 for a while now as well.

This updates sdkgen to only 6.0 as well.
2022-12-15 09:28:03 +00:00
Aaron Friel 7e555cb6ab ci: Simplify test listing, update go dependencies to 1.18 compat 2022-09-21 09:51:59 -07:00
Mikhail Shilkov 233ececb0f
Update all references to pulumi so that source-map-support isn't deprecated anymore () 2022-07-01 20:31:57 +02:00
Mikhail Shilkov b3fc3d6acb Revert "Update all references to pulumi so that source-map-support isn't deprecated anymore"
This reverts commit 4c6810f236.
2022-07-01 15:42:00 +02:00
Mikhail Shilkov 4c6810f236 Update all references to pulumi so that source-map-support isn't deprecated anymore 2022-07-01 15:35:47 +02:00
Anton Tayanovskyy 5ec0b2ffe6
Add `make tidy` command to apply `go mod tidy` on every go.mod ()
* Script to blanket-apply go mod tidy

* Run make tidy
2021-12-23 17:37:39 -05:00
Anton Tayanovskyy b667ce5d4f
Tighten up auto test ()
* Tighten up a test to not fail for wrong reasons, use python helpers

* Use local in-source Python SDK for the test
2021-08-24 14:48:09 -04:00
Evan Boyle a659b3565c
reenable concurrent update test () 2021-07-22 10:06:44 -07:00
Ismayil 4bafeee700
Fixes : Duplicated Go modules () 2021-04-19 08:24:51 -07:00
Paul Stack e955a6b06a Refactor Mock newResource and call to accept property bag rather than individual args () 2021-04-14 19:32:18 +01:00
pulumi-bot 73a66f48ea [breaking] Changing the version of go.mod in sdk / pkg to be v3 2021-04-14 19:32:18 +01:00
Paul Stack 3fad2e5329 Removing x namespace from go/python/nodejs automation packages () 2021-04-14 19:32:18 +01:00