Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate test deps from v2 module #158

Merged
merged 6 commits into from
Sep 28, 2021
Merged

Separate test deps from v2 module #158

merged 6 commits into from
Sep 28, 2021

Conversation

wallyqs
Copy link
Member

@wallyqs wallyqs commented Sep 28, 2021
edited
Loading

Currently v2 go.mod depends on the v1 version (which includes a CVE), this transitive dependency makes vulnerability check tools report v2 as including the CVE, even though v1 is only being used for testing purposes. This separates the test dependencies in the go.mod files so that this does not happen.

# Test without external dependencies
go test github.com/nats-io/jwt/v2 -v

# Tests with external dependencies (v1 dep in this case)
go test -modfile=go_test.mod github.com/nats-io/jwt/v2/test -v

Fixes #156

wallyqs and others added 5 commits September 28, 2021 03:50
@wallyqs
Fix go.mod test dependencies usage
6e49afe 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
@wallyqs
Test updates
598a850 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
@henryleduc
fix: change travis job to use test go.mod file
b65a060 
fix: change travis job to use test go.mod file
@henryleduc
fix: travis build between V1 and V2 modfiles
dfb09db
@henryleduc
fix: use equals comparator to fix travis job
7f36fc7
aricart
aricart approved these changes Sep 28, 2021
View reviewed changes
Copy link
Member

@aricart aricart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - but would like @kozlovic give an LGTM as well as he does the JWT release.

@aricart aricart requested a review from kozlovic September 28, 2021 15:59
@wallyqs
Merge pull request #157 from henryleduc/go-mod-fixes
46d7676 
fix: change travis job to use test go.mod file
kozlovic
kozlovic approved these changes Sep 28, 2021
View reviewed changes
Copy link
Member

@kozlovic kozlovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I posted also a comment in associated issue that we could make a release of the v1 because the cve issue was fixed in both code base. But I am not super comfortable doing a v1 release..

@wallyqs
Copy link
Member Author

wallyqs commented Sep 28, 2021

Agree, maybe it can be done too if we branch out from latest v1 release, apply the fix from (#149) and then tag a v1 release that has the fix.

matthiashanel
matthiashanel approved these changes Sep 28, 2021
View reviewed changes
Copy link
Contributor

@matthiashanel matthiashanel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kozlovic
Copy link
Member

@wallyqs The fix is already in. We would not have to actually branch anything. If we were to update the version in the v1 (root) dir to say 1.3.0, and push a tag v1.3.0 then release, it would be totally possible I think. But again, I am not sure I would want to do that..

@wallyqs
Copy link
Member Author

wallyqs commented Sep 28, 2021

@kozlovic I see now, thanks for the clarification.

@kozlovic kozlovic merged commit ee62b55 into master Sep 28, 2021
@kozlovic kozlovic deleted the go-mod-fixes branch September 28, 2021 18:04
@wallyqs wallyqs mentioned this pull request Dec 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aricart aricart aricart approved these changes

@kozlovic kozlovic kozlovic approved these changes

@matthiashanel matthiashanel matthiashanel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

V2 is currently dependent on V1
5 participants
@wallyqs @kozlovic @aricart @matthiashanel @henryleduc