module updating (mainly for security bugfix) for gobuffalo families
Closed this issue · 20 comments
I am writing this issue to track/manage a set of PRs of module updating (mainly for security bugfix) for gobuffalo families.
Related PRs
Next
- buffalo and pop
- genny, fizz, buffalo-pop, cli will be checked if they need to be updated.
@sio4 all set with these PR's LMK when you proceed with gobuffalo/buffalo
and gobuffalo/pop
. Thanks in advance!
Thanks for that!
Today, I tried to draw a dependency map of pop
first (before buffalo
) and I would like to update all possible dependencies, but not sure if doing this is valuable. During this progress which is started for fixing a security bug on bluemonday
, I found many of the submodules are already outdated even some of them have bugfixes. What do you think? Is it valuable? If you think so, I will try to update them (most of) all.
Bold are current version and other boxes are old. by the way, do we have any tools to find it automatically? :-)
It is definitely valuable, while you put together those update PR's I also saw some of those repos are being tested with old versions of Go and are using the master
branch and I took your PR"s as starting point to update that tooling.
It would definitely be beneficial to update those all. We don't have a tool yet
for it.
Thanks for your command @paganotoni ! then I will work from the deepest modules also will try update external dependencies such as testify which is used for many packages (version 1.7.0 or version 1.4.0). I made PR for genny as draft, and will update that with newer versions too!
PRs for current stage, which is for packages without buffalo internal dependencies:
- gobuffalo/flect#52
- gobuffalo/nulls#7
- gobuffalo/packd#15
- gobuffalo/envy#38
- gobuffalo/envy#39 (off topic but important)
- gobuffalo/logger#15
Please take a look at above PRs and release them if there is no issue. Then the next steps will be:
- validte and attrs which depend on flect
- packr which depends on envy and packd
The next would be tags which depends on validate. (followed by helpers, plush, and so on)
Additionally, I found the version control for packr
is now not the best solution for go module. I would like to fix this before proceeding with this module updating. Please take a look at my suggestion on gobuffalo/packr#294 and consider if the proposal could be a solution for it. Currently, the tree structure has circular reference and it makes maintaining module dependencies harder.
Started checking dependencies for buffalo
, updated some modules, and updated the dependency map.
@sio4 covered the first part, while on it I did update all of those repos to use github actions.
Thank you! I submitted PRs for packages using flect just a minute ago. Will continue for others. By the way, I would like to change directory structure of packr as suggested here. gobuffalo/packr#294 What do you think?
updated packages that use flect
.
- gobuffalo/validate#28
- gobuffalo/attrs#3
- gobuffalo/meta#10 (quick fix for #2154)
- gobuffalo/packr#295
For those PRs which is not yet reviewed, I just fixed workflow to run go 1.16 and 1.17, also added a badge for the action. I hope it could help your work!
@paganotoni Could you please take a look at the open PRs above? By dependency chain, they are needed to be merged before the next steps.
Just PRed gobuffalo/meta#12.
Current blocking PRs are gobuffalo/validate#28 and gobuffalo/attrs#3 (gobuffalo/tags depends on them).
PRed gobuffalo/tags#139.
Current blocking PR is gobuffalo/packr#295 and gobuffalo/tags#139, next will be helpers followed by plush.
Currently, gobuffalo/genny#41 and gobuffalo/fizz#108 are open. Then next will be pop and buffalo!
Today's dependency map is here!
Phase 1 of the original plan is almost done. Currently buffalo
and pop
are not finished but it will be done by @fasmat 's work on packr to embed migration.
By the way, originally cli
, suite
, middleware, cli plugins, and other tools were the target of the next phase. Some of them already have some progress.
Current ongoing PRs:
With the next release of gobuffalo/buffalo
the dependency tree should become quite a bit smaller, we should also avoid overwriting transient dependencies with replace
or go get -u
(which adds // indirect
directives). This also makes the dependency tree significantly smaller
The final dependency graph for buffalo v0.18 as of today, once three remaining PRs are merged.
All PRs were merged even though some of them are not yet released. Closing the issue now.