Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/vendor: update pprof #65741

Closed
ziler-orca opened this issue Feb 16, 2024 · 2 comments
Closed

cmd/vendor: update pprof #65741

ziler-orca opened this issue Feb 16, 2024 · 2 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.23

Comments

@ziler-orca
Copy link

Go version

go version go1.22.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/usr/local/go/src/cmd/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4066185309=/tmp/go-build -gno-record-gcc-switches'

What did you do?

The maintainer of pprof patched the CVE for d3-color and it still shows the d3 flamegraph dependency (i.e. /usr/local/go/src/cmd/vendor/github.com/google/pprof/third_party/d3flamegraph) in the latest version golang

What did you see happen?

The maintainer of pprof patched the CVE for d3-color and it still shows the d3 flamegraph dependency (i.e. /usr/local/go/src/cmd/vendor/github.com/google/pprof/third_party/d3flamegraph) in the latest version golang

What did you expect to see?

Can you please make the necessary updates to pickup the patch.
@ianlancetaylor ianlancetaylor changed the title Pickup patch for pprof cmd/vendor: update pprof Feb 16, 2024
@ianlancetaylor
Copy link
Contributor

CC @golang/release

@dmitshur dmitshur added this to the Go1.23 milestone Feb 16, 2024
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. FixPending Issues that have a fix which has not yet been reviewed or submitted. labels Feb 16, 2024
@gopherbot
Copy link

Change https://go.dev/cl/564636 mentions this issue: cmd/pprof: update vendored github.com/google/pprof

ezz-no pushed a commit to ezz-no/go-ezzno that referenced this issue Feb 18, 2024
@dmitshur @ezz-no
cmd/pprof: update vendored github.com/google/pprof
2c21320 
Pull in the latest published version of github.com/google/pprof
as part of the continuous process of keeping Go's dependencies
up to date. Done with:

go get github.com/google/pprof
go mod tidy
go mod vendor

For golang#36905.
Fixes golang#65741.

Change-Id: Ice7b085c03ff69be97929cbe47bfd91954907529
Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/go/+/564636
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.23
Development

No branches or pull requests
4 participants
@dmitshur @ianlancetaylor @gopherbot @ziler-orca