Commit ab356cb
authored
Update vulnerable dependencies flagged by Dependabot (#1018)
Dependabot flagged multiple vulnerable dependencies, primarily in
golang.org/x packages from October 2023 and various framework libraries.
## Security Updates
**golang.org/x packages** (Oct 2023 → Jan 2025):
- crypto: v0.14.0 → v0.46.0
- net: v0.17.0 → v0.48.0
- sys: v0.13.0 → v0.40.0
- term: v0.13.0 → v0.39.0
- text: v0.13.0 → v0.33.0
- sync: v0.7.0 → v0.19.0
**Framework libraries**:
- spf13/cobra: v1.6.1 → v1.10.2
- spf13/viper: v1.15.0 → v1.21.0
- coder/websocket: v1.8.12 → v1.8.14
- google/uuid: v1.3.0 → v1.6.0
- hashicorp/go-version: v1.6.0 → v1.8.0
**UI libraries**:
- charmbracelet/bubbles: v0.15.0 → v0.21.0
- charmbracelet/bubbletea: v0.23.1 → v1.3.10
- charmbracelet/lipgloss: v0.6.0 → v1.1.0
- fatih/color: v1.15.0 → v1.18.0
## Code Changes
Go 1.24 enforces format string constants in `fmt.Errorf`. Fixed:
```go
// Before
return fmt.Errorf("Your DB might be archived. Please run `turso group unarchive " + db.Group + "` to unarchive it")
// After
return fmt.Errorf("Your DB might be archived. Please run `turso group unarchive %s` to unarchive it", db.Group)
```
## Toolchain
Go: 1.22.0 → 1.24.11
> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `cloud.google.com`
> - Triggering command: `/update-job-proxy /update-job-proxy
992919/b124/_cgo--64 ux_amd64/vet x64/pkg/tool/lin/tmp/cco9BoZs.o test��
/x86_64-linux-gnu/13/liblto_plugin.so
/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper nfig/composer/vendor/bin/as
s-through=-lgcc s-through=-lgcc_rev-parse s-through=-lc s-through=-lgcc
s-th�� /tmp/go-build295992919/b143/_pkg_.a -trimpath ux_amd64/vet -p`
(dns block)
> - `go.googlesource.com`
> - Triggering command: `/update-job-proxy /update-job-proxy
992919/b124/_cgo--64 ux_amd64/vet x64/pkg/tool/lin/tmp/cco9BoZs.o test��
/x86_64-linux-gnu/13/liblto_plugin.so
/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper nfig/composer/vendor/bin/as
s-through=-lgcc s-through=-lgcc_rev-parse s-through=-lc s-through=-lgcc
s-th�� /tmp/go-build295992919/b143/_pkg_.a -trimpath ux_amd64/vet -p`
(dns block)
> - Triggering command: `/update-job-proxy /update-job-proxy -o
br-f12b104abc1b -j DROP add origin /home/dependabot/bin/git weatherman
ache/go/1.24.11/cat-file test git cat-�� blob to /usr/lib/git-core/git m
/usr/bin/php8.3 /usr/bin/test /usr/lib/git-corfilter` (dns block)
> - `go.yaml.in`
> - Triggering command: `/update-job-proxy /update-job-proxy -o
br-f12b104abc1b -j DROP add origin /home/dependabot/bin/git weatherman
ache/go/1.24.11/cat-file test git cat-�� blob to /usr/lib/git-core/git m
/usr/bin/php8.3 /usr/bin/test /usr/lib/git-corfilter` (dns block)
> - `google.golang.org`
> - Triggering command: `/update-job-proxy /update-job-proxy
992919/b124/_cgo--64 ux_amd64/vet x64/pkg/tool/lin/tmp/cco9BoZs.o test��
/x86_64-linux-gnu/13/liblto_plugin.so
/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper nfig/composer/vendor/bin/as
s-through=-lgcc s-through=-lgcc_rev-parse s-through=-lc s-through=-lgcc
s-th�� /tmp/go-build295992919/b143/_pkg_.a -trimpath ux_amd64/vet -p`
(dns block)
> - `gopkg.in`
> - Triggering command: `/update-job-proxy /update-job-proxy
992919/b124/_cgo--64 ux_amd64/vet x64/pkg/tool/lin/tmp/cco9BoZs.o test��
/x86_64-linux-gnu/13/liblto_plugin.so
/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper nfig/composer/vendor/bin/as
s-through=-lgcc s-through=-lgcc_rev-parse s-through=-lc s-through=-lgcc
s-th�� /tmp/go-build295992919/b143/_pkg_.a -trimpath ux_amd64/vet -p`
(dns block)
> - Triggering command: `/update-job-proxy /update-job-proxy -o
br-f12b104abc1b -j DROP add origin /home/dependabot/bin/git weatherman
ache/go/1.24.11/cat-file test git cat-�� blob to /usr/lib/git-core/git m
/usr/bin/php8.3 /usr/bin/test /usr/lib/git-corfilter` (dns block)
> - `honnef.co`
> - Triggering command: `/update-job-proxy /update-job-proxy
992919/b124/_cgo--64 ux_amd64/vet x64/pkg/tool/lin/tmp/cco9BoZs.o test��
/x86_64-linux-gnu/13/liblto_plugin.so
/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper nfig/composer/vendor/bin/as
s-through=-lgcc s-through=-lgcc_rev-parse s-through=-lc s-through=-lgcc
s-th�� /tmp/go-build295992919/b143/_pkg_.a -trimpath ux_amd64/vet -p`
(dns block)
> - `vuln.go.dev`
> - Triggering command: `/home/REDACTED/go/bin/govulncheck
/home/REDACTED/go/bin/govulncheck ./... -march=x86-64 -gdwarf-2` (dns
block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/tursodatabase/turso-cli/settings/copilot/coding_agent)
(admins only)
>
> </details>
<!-- START COPILOT ORIGINAL PROMPT -->
<details>
<summary>Original prompt</summary>
>
> ----
>
> *This section details on the original issue you should resolve*
>
> <issue_title>Dependabot security warnings</issue_title>
> <issue_description>Opening this issue just to tag copilot.
>
> Dependabot flags a few vulnerable dependencies, we need to upgrade
them:
https://github.com/tursodatabase/turso-cli/security/dependabot</issue_description>
>
> ## Comments on the Issue (you are @copilot in this section)
>
> <comments>
> </comments>
>
</details>
<!-- START COPILOT CODING AGENT SUFFIX -->
- Fixes #1017
<!-- START COPILOT CODING AGENT TIPS -->
---
💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.3 files changed
Lines changed: 124 additions & 548 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | | - | |
11 | | - | |
| 10 | + | |
| 11 | + | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
14 | 14 | | |
15 | | - | |
16 | | - | |
| 15 | + | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | | - | |
24 | | - | |
25 | | - | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
31 | 36 | | |
| 37 | + | |
| 38 | + | |
32 | 39 | | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
33 | 44 | | |
34 | 45 | | |
35 | 46 | | |
36 | 47 | | |
37 | 48 | | |
38 | | - | |
39 | | - | |
| 49 | + | |
40 | 50 | | |
41 | | - | |
42 | | - | |
43 | | - | |
| 51 | + | |
| 52 | + | |
44 | 53 | | |
45 | 54 | | |
46 | | - | |
47 | 55 | | |
48 | 56 | | |
49 | | - | |
50 | 57 | | |
51 | | - | |
| 58 | + | |
52 | 59 | | |
53 | | - | |
| 60 | + | |
54 | 61 | | |
55 | | - | |
| 62 | + | |
56 | 63 | | |
57 | | - | |
58 | | - | |
59 | | - | |
60 | | - | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
61 | 67 | | |
62 | | - | |
63 | | - | |
64 | | - | |
65 | | - | |
66 | | - | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
67 | 72 | | |
68 | | - | |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
73 | 78 | | |
74 | | - | |
75 | 79 | | |
76 | 80 | | |
0 commit comments