chore(deps): update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.102.0#1042
Merged
Conversation
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
The cloudflare provider's Start() method used cmd.StdoutPipe() and cmd.StderrPipe() to capture tunnel output. Go's exec package registers the read-end file descriptors from these calls in an internal closeAfterWait list — when cmd.Wait() returns after the child exits, those fds are closed immediately, regardless of whether the scanner goroutines have finished reading buffered data. On a loaded CI runner this produces an EBADF before the scanner's first Read(), leaving the ring buffer empty and causing TestStart_CapturesStdoutOutput to fail. Replace both pipe methods with os.Pipe() pairs. Assigning bare *os.File to cmd.Stdout and cmd.Stderr bypasses Go's pipe lifecycle management entirely. The parent write ends are closed immediately after cmd.Start() succeeds so the child's exit naturally sends EOF to the scanners. Each scanner goroutine owns its read end and closes it via defer after draining, which preserves the existing scanWg.Wait() guarantee that the ring buffer is fully populated before p.done is closed. All four pipe fds are cleaned up in both the stderr os.Pipe() failure path and the cmd.Start() failure path to prevent fd leaks. Write-end close failures are logged using the provider's structured logger rather than silently discarded. Validated with 50 sequential -race runs on the cloudflare package; 50/50 pass. Fixes TestStart_CapturesStdoutOutput flake in CI
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
…sec dependency caddy-crowdsec-bouncer@v0.10.0 (and all subsequent releases through v0.12.1) declare github.com/crowdsecurity/crowdsec v1.6.3 in their go.mod, which embeds the vulnerable crowdsec library inside the compiled /usr/bin/caddy binary. Trivy detects this and reports GHSA-rw47-hm26-6wr7 (CVE-2026-44982), which describes the CrowdSec AppSec component silently dropping HTTP request bodies for chunked-encoded and HTTP/2 requests — allowing WAF body inspection rules to be bypassed entirely. The dedicated crowdsec and cscli binaries were already clean (built directly from CROWDSEC_VERSION=1.7.8 source), but the Caddy binary was still exposing the vulnerability through its transitive dependency on the bouncer plugin. Add go get github.com/crowdsecurity/crowdsec@v${CROWDSEC_VERSION} to the Caddy builder Stage 2 patch block, immediately after the existing go-ntlmssp override. Declare ARG CROWDSEC_VERSION in the caddy-builder stage so the variable resolves correctly within that Docker build context. Using the ARG rather than a hardcoded version ensures the Caddy override and the CrowdSec binaries always upgrade together when Renovate bumps CROWDSEC_VERSION, preventing version drift. Remove this override once the bouncer ships a release that requires github.com/crowdsecurity/crowdsec >= v1.7.8.
The single-step crowdsec forced upgrade to v1.7.8 broke compilation because go-cs-bouncer@v0.0.14 (a direct dependency of the caddy bouncer plugin) is incompatible with crowdsec's v1.7.x API changes: - A struct field type changed from *string to string (live_bouncer.go) - version.DetectOS() return arity increased from 2 to 3 (metrics.go) Replace the single go-get with a dual upgrade: first force go-cs-bouncer to v0.0.21 (the first release built against crowdsec v1.7.x APIs), then force crowdsec to CROWDSEC_VERSION. v0.0.21 was built against crowdsec v1.7.6; v1.7.8 is a semver-compatible patch release. The caddy-crowdsec-bouncer plugin's usage of go-cs-bouncer (struct literals and method calls) is API-compatible with v0.0.21. Add a Renovate annotation on the go-cs-bouncer pin so future releases are tracked automatically. Both overrides can be removed once caddy-crowdsec-bouncer ships a release that depends on go-cs-bouncer >= v0.0.21.
…-crowdsec-bouncer to v0.12.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.101.0→1.102.0Release Notes
aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/s3)
v1.102.0Module Highlights
github.com/aws/aws-sdk-go-v2/service/bedrock: v1.42.0github.com/aws/aws-sdk-go-v2/service/bedrockruntime: v1.34.0github.com/aws/aws-sdk-go-v2/service/eks: v1.69.0github.com/aws/aws-sdk-go-v2/service/rds: v1.102.0github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.205.0Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.