Updating Go dependency: Docker and Git to fix CVE

[corneliusludmann]

Description

Updating Go dependency: Docker and Git to fix CVE

/hold

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
golang/github.com/go-git/go-git/[email protected] ➜ v5.14.0	None	0	2.41 MB
golang/github.com/google/[email protected]	eval, filesystem, network, unsafe	0	470 kB
golang/golang.org/x/[email protected] ➜ v0.0.0-20240719175910-8a7402abbf56	None	0	1.52 MB

View full report↗︎

[corneliusludmann]

It seems that we need to pin opentelemetry dependency because the Dokcer version upgrade is causing a chain of dependency issues. It's now pulling in a newer version of the OpenTelemetry dependencies, but there's a package structure change in OpenTelemetry that's causing the issue. Pinning OpenTelemetry dependencies to compatible versions to resolve go mod tidy failures after upgrading github.com/docker/docker. The newer Docker version was pulling in incompatible OpenTelemetry packages with changed API structure.

[geropl]

I think doing the pins is good, if it reduces the CVEs.

@corneliusludmann Did you do the go mod tidy dance through all components that depend on docker? IMO we should do that nontheless, to avoid build issues down the line.

[corneliusludmann]

Did you do the go mod tidy dance through all components that depend on docker? IMO we should do that nontheless, to avoid build issues down the line.

go mod tidy with all components and installer does not change anything. @geropl Do you think it needs anything else?

[geropl]

@corneliusludmann Waiting for this regression test to be 🟢 : https://github.com/gitpod-io/gitpod/actions/runs/13991634122/job/39177564025

Update: DONE!

[geropl]

Change look great! ✔️

[geropl]

/unhold