Skip to content

chore(release-8.5): upgrade vulnerable Go dependencies#1903

Merged
ti-chi-bot[bot] merged 2 commits into
release-8.5from
security-fix-deps-release-8.5
Jun 11, 2026
Merged

chore(release-8.5): upgrade vulnerable Go dependencies#1903
ti-chi-bot[bot] merged 2 commits into
release-8.5from
security-fix-deps-release-8.5

Conversation

@yibin87

@yibin87 yibin87 commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Fixes #1902.

Summary

Upgrade the vulnerable Go dependencies on release-8.5 to the requested fixed versions:

  • github.com/quic-go/quic-go: v0.57.0 -> v0.59.1
  • golang.org/x/image: v0.18.0 -> v0.38.0
  • google.golang.org/grpc: v1.59.0 -> v1.63.2

Notes

A small set of indirect dependencies also moved because they are required by the selected upstream module versions, mainly golang.org/x/crypto, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/text, golang.org/x/tools, and google.golang.org/genproto.

Validation

Full Go test suite passes with the patch.

Signed-off-by: yibin87 <huyibin@pingcap.com>
@ti-chi-bot ti-chi-bot Bot requested review from Renkai and nolouch June 11, 2026 08:42
@ti-chi-bot ti-chi-bot Bot added the size/M label Jun 11, 2026
Signed-off-by: yibin87 <huyibin@pingcap.com>
@ti-chi-bot ti-chi-bot Bot added size/L and removed size/M labels Jun 11, 2026
@yibin87 yibin87 requested a review from shhdgit June 11, 2026 08:57
@ti-chi-bot

ti-chi-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: shhdgit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added the lgtm label Jun 11, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[LGTM Timeline notifier]

Timeline:

  • 2026-06-11 08:58:26.148593829 +0000 UTC m=+1036807.218911209: ☑️ agreed by shhdgit.

@ti-chi-bot ti-chi-bot Bot added the approved label Jun 11, 2026
@ti-chi-bot ti-chi-bot Bot merged commit 1e843cf into release-8.5 Jun 11, 2026
7 checks passed
@ti-chi-bot ti-chi-bot Bot deleted the security-fix-deps-release-8.5 branch June 11, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants