Upgrade dependencies #606
Upgrade dependencies #606
Conversation
WalkthroughThis update modernizes the project’s linting and dependency management. The GitHub Actions workflow for golangci-lint is upgraded to v8, and the Changes
Sequence Diagram(s)sequenceDiagram
participant Developer
participant GitHub Actions
participant golangci-lint
Developer ->> GitHub Actions: Push code / PR
GitHub Actions ->> golangci-lint (v8): Run lint checks with new config
golangci-lint -->> GitHub Actions: Report results
GitHub Actions -->> Developer: Display lint results
Possibly related PRs
Poem
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (1.64.8)Error: you are using a configuration file for golangci-lint v2 with golangci-lint v1: please use golangci-lint v2 ✨ Finishing Touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #606 +/- ##
==========================================
- Coverage 73.31% 73.26% -0.06%
==========================================
Files 73 73
Lines 6986 6986
==========================================
- Hits 5122 5118 -4
- Misses 1482 1485 +3
- Partials 382 383 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
547f256 to
7a3dfa0
Compare
Direct: github.com/pion/dtls/v3 v3.0.6 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/net v0.35.0 golang.org/x/sync v0.11.0 Indirect: github.com/pion/logging v0.2.3 golang.org/x/crypto v0.33.0 golang.org/x/sys v0.30.0
7a3dfa0 to
58e5579
Compare
|
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (5)
examples/mcast/client/main.go (1)
103-107: Consider improving comment formatting.While the logic is unchanged, placing the closing comment
*/and theif err != nilcheck on the same line reduces readability. Consider keeping them on separate lines for better code clarity.- err = req.SetupGet("/oic/res", token) /* msg.Option{ - ID: msg.URIQuery, - Value: []byte("rt=oic.wk.d"), - }*/if err != nil { + err = req.SetupGet("/oic/res", token) /* msg.Option{ + ID: msg.URIQuery, + Value: []byte("rt=oic.wk.d"), + }*/ + if err != nil {.golangci.yml (4)
4-5: Remove obsoleteissuessection
The commented-outissuesblock applies to v1 configs. Since you’re fully on v2, you can delete these lines to keep the file clean.
22-22: Clean up unused commented linter
The commentedexportlooprefline should be removed if it's not needed. If you intend to disable that linter, list it explicitly underdisable:for clarity.
31-32: Review commented-out linters
Bothgoerr113andgomoddirectivesare currently commented out. Move them to thedisable:section if you want them off, or remove them entirely to avoid confusion.
151-158: Optimize formatter configuration
You’ve enabledgci,gofmt,gofumpt, andgoimports. Note thatgofumptencompassesgofmtrules. Consider removing the directgofmtentry to streamline the pipeline.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (10)
.github/workflows/golangci-lint.yml(1 hunks).golangci.yml(3 hunks)examples/dtls/cid/server/main.go(2 hunks)examples/dtls/pki/cert_util.go(0 hunks)examples/mcast/client/main.go(2 hunks)examples/mcast/server/main.go(1 hunks)examples/options/server/main.go(2 hunks)examples/simple/server/main.go(1 hunks)go.mod(1 hunks)pkg/cache/cache.go(2 hunks)
💤 Files with no reviewable changes (1)
- examples/dtls/pki/cert_util.go
🧰 Additional context used
🧬 Code Graph Analysis (2)
examples/simple/server/main.go (2)
mux/router.go (1)
ResponseWriter(15-20)mux/message.go (1)
Message(13-16)
examples/dtls/cid/server/main.go (2)
dtls/server/server.go (2)
Listener(21-24)New(40-86)udp/client/conn.go (2)
WithInactivityMonitor(261-265)Conn(184-218)
🔇 Additional comments (14)
examples/mcast/server/main.go (1)
52-52: Good variable scoping improvement.Changing from
:=to=eliminates variable shadowing by using the existingerrvariable instead of creating a new local one. This improves code clarity and follows Go best practices.examples/options/server/main.go (2)
12-12: Good import consolidation.Consolidating the import statement removes duplication and improves code organization.
52-56: Excellent naming convention improvement.Renaming
clientIdtoclientIDfollows Go naming conventions where acronyms like "ID" should be fully capitalized. This improves code consistency and readability.pkg/cache/cache.go (1)
53-53: Excellent use of method promotion.Changing from direct field access (
c.Map.ReplaceWithFunc,c.Map.Delete) to promoted method calls (c.ReplaceWithFunc,c.Delete) is more idiomatic Go code. This properly leverages Go's method promotion feature and provides better encapsulation while maintaining the same functionality.Also applies to: 80-80
examples/dtls/cid/server/main.go (2)
46-48: LGTM: Struct simplification improves clarity.Good cleanup removing the unused
closedfield from thewrappedListenerstruct. This simplifies the code while maintaining the same functionality.
88-88: LGTM: Proper use of unnamed parameter.Using
_for the unused connection parameter in the inactivity monitor callback clearly indicates the parameter is intentionally ignored, improving code readability.examples/simple/server/main.go (1)
20-20: LGTM: Proper handling of unused parameter.Good improvement using
_to explicitly indicate the request message parameter is intentionally unused in this handler. This follows Go conventions and improves code clarity.examples/mcast/client/main.go (2)
113-113: LGTM: Proper use of unnamed parameter.Using
_for the unused response message parameter in the DiscoveryRequest callback clearly indicates it's intentionally ignored.
127-127: LGTM: Proper use of unnamed parameter.Using
_ for the unused value parameter in the Range function follows Go conventions and improves code clarity.go.mod (2)
7-12: LGTM: Dependency updates improve security and functionality.The direct dependency updates look good:
github.com/pion/dtls/v3updated to v3.0.6 (from v3.0.2 mentioned in PR objectives)golang.org/x/*packages updated to recent versionsThese updates should provide bug fixes and security improvements.
17-22: LGTM: Indirect dependency updates.The indirect dependency updates align with the direct dependency updates and should provide improved stability and security.
.golangci.yml (3)
1-3: Upgrade configuration to v2 and set Go version
The keysversion: "2"andrun.go: "1.20"correctly bump to the new config schema and pin the linter to your Go version. Verify your CI workflow uses golangci-lint v2 to avoid compatibility issues.
101-109: Configuresettingsandexclusionsper v2 schema
The newsettingsblock forgocycloandgovet, along with theexclusionssection, aligns with the v2 format. Rungolangci-lint run --config .golangci.ymlto ensure these rules load correctly and exclusions behave as expected.
150-150: Exclude theexamplesdirectory
Addingexamplestoexclusions.pathssilences lint reports for example code. Confirm that any intentional warnings in examples are now properly hidden.
| @@ -25,7 +25,7 @@ jobs: | |||
| - run: go version | |||
|
|
|||
| - name: golangci-lint | |||
| uses: golangci/golangci-lint-action@v6 | |||
| uses: golangci/golangci-lint-action@v8 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify the action version and approve the upgrade.
The upgrade from golangci-lint-action@v6 to v8 is a good practice to stay current with the latest features and security updates.
🌐 Web query:
What is the latest stable version of golangci/golangci-lint-action on GitHub?
💡 Result:
The latest stable version of the golangci/golangci-lint-action GitHub Action is v6.2.0, released on May 28, 2025. (newreleases.io)
This release introduces support for Linux ARM64 in public preview and updates the build tag syntax.
For detailed information on this release, you can refer to the release notes. (newreleases.io)
To use this version in your GitHub Actions workflow, specify it as follows:
- name: Golangci-lint
uses: golangci/golangci-lint-action@v6.2.0
with:
version: v1.60Ensure that the version input matches the desired version of golangci-lint you intend to use.
Citations:
- 1: https://newreleases.io/project/github/golangci/golangci-lint-action/release/v6.2.0?utm_source=openai
- 2: https://newreleases.io/project/github/golangci/golangci-lint-action/release/v6.2.0?utm_source=openai
Invalid golangci-lint Action version
The workflow is currently using golangci/golangci-lint-action@v8, but no v8 release exists. The latest stable release is v6.2.0 (released May 28, 2025).
Please update the workflow:
• File: .github/workflows/golangci-lint.yml
Line: 28
Suggested change:
- uses: golangci/golangci-lint-action@v8
+ uses: golangci/golangci-lint-action@v6.2.0
with:
version: v1.60📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: golangci/golangci-lint-action@v8 | |
| uses: golangci/golangci-lint-action@v6.2.0 | |
| with: | |
| version: v1.60 |
🤖 Prompt for AI Agents
In .github/workflows/golangci-lint.yml at line 28, the golangci-lint GitHub
Action version is incorrectly set to v8, which does not exist. Update the action
version to the latest stable release v6.2.0 by changing the uses line to
golangci/golangci-lint-action@v6.2.0. Also, ensure the 'version' input parameter
matches the golangci-lint tool version you want to use.
| @@ -4,20 +4,29 @@ go 1.20 | |||
|
|
|||
| require ( | |||
| github.com/dsnet/golib/memfile v1.0.0 | |||
| github.com/pion/dtls/v3 v3.0.2 | |||
| github.com/pion/dtls/v3 v3.0.6 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify security vulnerabilities in updated dependencies.
Please verify that the updated dependency versions don't contain known security vulnerabilities.
Also applies to: 10-12, 17-17, 20-21
🌐 Web query:
Are there any known security vulnerabilities in github.com/pion/dtls/v3 v3.0.6, golang.org/x/net v0.35.0, golang.org/x/crypto v0.33.0, or golang.org/x/sys v0.30.0?
💡 Result:
Security Vulnerabilities in Specific Go Packages and Versions
1. github.com/pion/dtls/v3 v3.0.6
- There are no publicly documented vulnerabilities specific to v3.0.6 as of now in the GitHub security advisories or recent release notes[1][2][3].
- Previous research uncovered vulnerabilities in older versions, including a padding oracle vulnerability and potential issues with processing unencrypted data post-handshake[5][10]. However, these are not confirmed in the v3.0.6 or v3.x series, and the most prominent CVE (CVE-2022-29189) was fixed in v2.1.4[4].
- The Pion team aspires to a formal security review but does not list any current open vulnerabilities for v3.0.6[1][3].
Summary: No known, unpatched vulnerabilities in v3.0.6.
2. golang.org/x/net v0.35.0
- Multiple vulnerabilities have been found in versions below 0.38.0:
- CVE-2024-45338: Denial of Service due to non-linear parsing in the
htmlpackage, impacting v0.35.0[7]. - CVE-2025-22872: Cross-site scripting (XSS) vulnerability due to the tokenizer incorrectly treating tags as self-closing in certain contexts, also affecting v0.35.0[9].
- CVE-2024-45338: Denial of Service due to non-linear parsing in the
Summary: v0.35.0 is affected by at least two publicly disclosed vulnerabilities. Upgrade is recommended.
3. golang.org/x/crypto v0.33.0
- CVE-2025-22869: SSH servers using the package are vulnerable to a Denial of Service (DoS) attack via slow or incomplete key exchange. This impacts all versions prior to v0.35.0, including v0.33.0[6].
Summary: v0.33.0 is vulnerable to DoS attacks and should be upgraded.
4. golang.org/x/sys v0.30.0
- No reported or documented vulnerabilities specific to v0.30.0 or close releases were found in search results[8].
Summary: No known vulnerabilities in v0.30.0 as of now.
Summary Table
| Package | Version | Vulnerabilities Present? | Details / References |
|---|---|---|---|
| github.com/pion/dtls/v3 | v3.0.6 | No known current vulnerabilities | [1][2][3] |
| golang.org/x/net | v0.35.0 | Yes | CVE-2024-45338[7], CVE-2025-22872[9] |
| golang.org/x/crypto | v0.33.0 | Yes | CVE-2025-22869[6] |
| golang.org/x/sys | v0.30.0 | No | [8] |
Recommendations
- Upgrade both
golang.org/x/netandgolang.org/x/cryptoto the latest versions available to address well-documented security flaws. - Monitor Pion DTLS for future advisories, but v3.0.6 has no open, critical CVEs at this time.
- No immediate action needed for
golang.org/x/sys v0.30.0, but keep it updated as part of normal maintenance.
If your project is security sensitive, consider a full security review and always track dependency advisories for updates.
Citations:
- 1: https://github.com/pion/dtls/security
- 2: https://github.com/pion/dtls/releases
- 3: https://github.com/pion/dtls
- 4: https://nvd.nist.gov/vuln/detail/CVE-2022-29189
- 5: https://www.usenix.org/system/files/usenixsecurity23-erinola.pdf
- 6: GHSA-hcg3-q754-cr77
- 7: https://vulert.com/vuln-db/CVE-2024-45338
- 8: https://pkg.go.dev/vuln/list
- 9: GHSA-vvgc-356p-c3xw
- 10: https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
Address security vulnerabilities in Go dependencies
The following versions in go.mod are affected by known CVEs and should be upgraded:
-
go.mod (lines 10–12):
golang.org/x/net v0.35.0
• CVE-2024-45338 (DoS via non-linear HTML parsing)
• CVE-2025-22872 (XSS in HTML tokenizer)
→ Upgrade to ≥ v0.38.0 -
go.mod (line 17):
golang.org/x/crypto v0.33.0
• CVE-2025-22869 (SSH DoS via slow/incomplete key exchange)
→ Upgrade to ≥ v0.35.0
No action needed for:
github.com/pion/dtls/v3 v3.0.6(no known vulnerabilities)golang.org/x/sys v0.30.0(no known vulnerabilities)
Please bump these two dependencies in go.mod and verify there are no downstream breaking changes.
🤖 Prompt for AI Agents
In go.mod around lines 10 to 12 and line 17, the dependencies golang.org/x/net
v0.35.0 and golang.org/x/crypto v0.33.0 have known security vulnerabilities.
Upgrade golang.org/x/net to version 0.38.0 or higher and golang.org/x/crypto to
version 0.35.0 or higher to address these CVEs. Confirm that these upgrades do
not introduce breaking changes in downstream code.
| // pin versions to keep go1.20 support | ||
| replace ( | ||
| golang.org/x/crypto => golang.org/x/crypto v0.33.0 | ||
| golang.org/x/exp => golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e | ||
| golang.org/x/net => golang.org/x/net v0.35.0 | ||
| golang.org/x/sync => golang.org/x/sync v0.11.0 | ||
| golang.org/x/sys => golang.org/x/sys v0.30.0 | ||
| ) |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Question the necessity of the replace directive.
The replace directive pins the exact same versions that are already specified in the require section. This appears redundant unless there are specific transitive dependency conflicts.
Please verify if this replace directive is actually necessary by checking if any transitive dependencies pull in incompatible versions:
🏁 Script executed:
#!/bin/bash
# Description: Check if replace directives are necessary by examining transitive dependencies
echo "Checking for version conflicts in transitive dependencies..."
# Check what versions would be selected without replace directives
go mod graph | grep -E "(golang.org/x/crypto|golang.org/x/exp|golang.org/x/net|golang.org/x/sync|golang.org/x/sys)" | head -20
echo -e "\nChecking go mod why for each replaced module..."
go mod why golang.org/x/crypto
go mod
849C
why golang.org/x/exp
go mod why golang.org/x/net
go mod why golang.org/x/sync
go mod why golang.org/x/sysLength of output: 2968
Drop redundant replace directives in go.mod
All of the golang.org/x/{crypto,exp,net,sync,sys} modules are only pulled in indirectly, and the Go resolver already selects the same highest versions you’ve pinned (no transitive dependency is requesting a newer release). You can safely remove the entire replace block (lines 25–32) to simplify your module:
- go.mod: delete lines 25–32 (the
replace (…)section)
If you still intend to proactively guard against future upgrades that might bump these beyond Go 1.20, consider documenting that goal instead of mirroring the current require versions here.
🤖 Prompt for AI Agents
In go.mod around lines 25 to 32, the replace directive pins versions of
golang.org/x/{crypto,exp,net,sync,sys} that are identical to those already
specified in the require section, making it redundant. Remove the entire replace
block from lines 25 to 32 to simplify the module, as the Go module resolver
already selects these versions correctly without conflicts. If you want to guard
against future upgrades, add a comment instead of duplicating the version pins.
Direct:
github.com/pion/dtls/v3 v3.0.6
golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/net v0.35.0
golang.org/x/sync v0.11.0
Indirect:
github.com/pion/logging v0.2.3
golang.org/x/crypto v0.33.0
golang.org/x/sys v0.30.0
Summary by CodeRabbit