diff --git a/.snyk b/.snyk index 560b862..16fc4d7 100644 --- a/.snyk +++ b/.snyk @@ -1,19 +1,19 @@ version: v1.5.0 ignore: # --- License issues (MPL-2.0 from HashiCorp transitive deps) --- - snyk:lic:golang:github.com/hashicorp/go-multierror:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0: - '*': reason: Generated code dependency from entgo.io/contrib entgql templates; cannot remove without forking created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/errwrap:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0: - '*': reason: Transitive dependency of go-multierror; cannot remove without forking created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/hcl/v2:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0: - '*': reason: Transitive dependency of ariga.io/atlas used by ent; cannot remove created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/golang-lru/v2:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:golang-lru:v2:MPL-2.0: - '*': reason: Transitive dependency of entgo.io/contrib and github.com/99designs/gqlgen; cannot remove without forking created: 2026-03-25T00:00:00.000Z @@ -88,7 +88,7 @@ ignore: created: 2026-04-09T00:00:00.000Z # --- OpenTelemetry CVE-2026-39882: Memory Allocation with Excessive Size (CWE-789) --- # Affects otel/exporters/otlp/otlpmetric/otlpmetrichttp and otlptrace/otlptracehttp. - SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197: + SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197: - '*': reason: >- CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High). @@ -97,7 +97,7 @@ ignore: imported by this project. Not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954195: + SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954196: - '*': reason: >- CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High). @@ -116,57 +116,53 @@ ignore: Not compiled into any binary. (Separate CVE from existing ignore -15182758.) expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - # --- go-jose vulnerabilities (fixed via go.mod pin; ignores retained as safety net) --- - # go mod tidy drops the pin because grpc only requires v4.1.3. + # --- go-jose vulnerabilities (transitive ghost dep via grpc; not in go.mod) --- SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSE-15875219: - '*': reason: >- Improper Verification of Cryptographic Signature (CVSS 8.0). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require - v4.1.3, and lazy module loading does not track the override in go.mod. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-15875221: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSECIPHER-15875222: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4CIPHER-15875234: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - # --- golang.org/x/crypto vulnerabilities (fixed via go.mod pin; ignore retained as safety net) --- + # --- golang.org/x/crypto vulnerabilities (transitive ghost dep; not in go.mod) --- SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056: - '*': reason: >- CVE-2025-22869 Allocation of Resources Without Limits (CWE-770, CVSS 6.9). - Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety - net — go mod tidy reverts this pin because upstream deps (hashicorp/hcl v2.24.0) - only require v0.38.0, and lazy module loading does not track the override in go.mod. + Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891: - '*': reason: >- CVE-2025-47913 Improper Handling of Unexpected Data Type (CWE-241, CVSS 7.1). - Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety - net — go mod tidy reverts this pin because upstream deps constrain resolution to - v0.38.0, and lazy module loading does not track the override in go.mod. + Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z diff --git a/_examples/go.mod b/_examples/go.mod index 86bcd11..9219972 100644 --- a/_examples/go.mod +++ b/_examples/go.mod @@ -1,6 +1,6 @@ module _examples -go 1.26.1 +go 1.26.2 require ( entgo.io/contrib v0.7.0 @@ -43,7 +43,7 @@ require ( golang.org/x/sync v0.20.0 // indirect golang.org/x/text v0.36.0 // indirect golang.org/x/tools v0.44.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/_examples/go.sum b/_examples/go.sum index 586f4eb..12f1828 100644 --- a/_examples/go.sum +++ b/_examples/go.sum @@ -105,8 +105,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/go.mod b/go.mod index 653f023..f46bb99 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/flume/enthistory -go 1.26.1 +go 1.26.2 require ( entgo.io/contrib v0.7.0 @@ -24,7 +24,6 @@ require ( github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/bmatcuk/doublestar v1.3.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/goccy/go-yaml v1.19.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/go-cmp v0.7.0 // indirect @@ -41,10 +40,9 @@ require ( github.com/zclconf/go-cty v1.18.0 // indirect github.com/zclconf/go-cty-yaml v1.2.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.49.0 // indirect golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect golang.org/x/mod v0.35.0 // indirect golang.org/x/text v0.36.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index db3423d..354aafc 100644 --- a/go.sum +++ b/go.sum @@ -26,8 +26,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= -github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= -github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-openapi/inflect v0.21.5 h1:M2RCq6PPS3YbIaL7CXosGL3BbzAcmfBAT0nC3YfesZA= github.com/go-openapi/inflect v0.21.5/go.mod h1:GypUyi6bU880NYurWaEH2CmH84zFDNd+EhhmzroHmB4= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= @@ -88,8 +86,6 @@ github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCT github.com/zclconf/go-cty-yaml v1.2.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM= golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80= golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= @@ -104,8 +100,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/go.work b/go.work index 8906da3..d906165 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,4 @@ -go 1.26.1 +go 1.26.2 use ( .