public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e2b5942c81758e42e41bfbbc4607ece56cde658
grafana/go.work
Mariell Hoversholm 07bfa602f2 App Platform: Pin bleve to fix CVE-2022-31022 (#102513) 
This pins Bleve to a soon-to-be v2.5.0 commit.

Fixes CVE-2022-31022. We can unpin when v2.5.0 releases (likely March 25th).
We do not need any new features or similar, though there are some fixes that are nice to receive.

We will **not** backport this fix as we aren't actually vulnerable to anything via CVE-2022-31022; we never use its code, nor does Bleve. The reason we are fixing this is to get Trivy to stop complaining.

Fixes: #97439
2025-03-20 11:19:57 +01:00

49 lines
1.7 KiB
Plaintext
Raw Blame History

go 1.24.1
// The `skip:golangci-lint` comment tag is used to exclude the package from the `golangci-lint` GitHub Action.
// The module at the root of the repo (`.`) is excluded because ./pkg/... is included manually in the `golangci-lint` configuration.
use (
. // skip:golangci-lint
./.citools/bra
./.citools/cog
./.citools/cue
./.citools/drone
./.citools/golangci-lint
./.citools/jb
./.citools/lefthook
./.citools/swagger
./apps/advisor
./apps/alerting/notifications
./apps/dashboard
./apps/investigations
./apps/playlist
./pkg/aggregator
./pkg/apimachinery
./pkg/apis/secret // @grafana/grafana-operator-experience-squad
./pkg/apiserver
./pkg/build
./pkg/build/wire // skip:golangci-lint
./pkg/codegen
./pkg/plugins/codegen
./pkg/promlib
./pkg/semconv
./pkg/storage/unified/apistore
./pkg/storage/unified/resource
./pkg/util/xorm // skip:golangci-lint
)
// when we release xorm we would like to release it like github.com/grafana/grafana/pkg/util/xorm
// but we don't want to change all the imports. so we use replace to handle this situation
replace xorm.io/xorm => ./pkg/util/xorm
replace github.com/getkin/kin-openapi => github.com/getkin/kin-openapi v0.126.0
replace github.com/prometheus/alertmanager => github.com/grafana/prometheus-alertmanager v0.25.1-0.20240930132144-b5e64e81e8d3
replace github.com/crewjam/saml => github.com/grafana/saml v0.4.15-0.20240917091248-ae3bbdad8a56
// Can be removed once Bleve releases v2.5.0.
// We've pinned this for: https://github.com/blevesearch/bleve/commit/af9e3111dadfedf9d30f0448506b4a57fecc8550
replace github.com/blevesearch/bleve/v2 => github.com/blevesearch/bleve/v2 v2.4.4-0.20250319135056-b82baf10b205
Reference in New Issue View Git Blame Copy Permalink