Hello Exercism community, I’m an old friend and contributor to the platform. I’ve contributed in the past to the CLI and a few of the Go tracks. I’m interested in helping out with the CLI again and have started opening small PRs here and there.
In response to a previously merged PR that fixed failing tests for Go 1.17 in the CLI, I proposed bumping the minimum version of Go used by the CLI. I’m starting this discussion to share the PR and discuss any additional changes or concerns.
Taking the lead from the version of Go used for testing the Go track exercises, I assume maintainers are using at least Go 1.20 and above. Please advise if that is not the case.
The link to the PR is: Bump target Go version to 1.20 by nywilken · Pull Request #1118 · exercism/cli · GitHub
Proposed Changes
The change bumps the minimum Go version to 1.20 to take advantage of a number of fixes to the language, while supporting the minimum version for a number of key dependencies which have been moving away from Go 1.15 and other unsupported Go versions.
This change officially removes Go 1.15 from the testing matrix and adds the Go versions used for supporting the Exercism CLI and Go track exercises. Namely Go 1.20.x and 1.21.x.
Additional Changes
Additional changes made to support the Go version bump include:
- Bumped a number of Sub-repositories - Go Packages dependencies to address reported vulnerabilities.
- Updated the goreleaser pipeline to use Go 1.20.x
- Updated build tags to Go 1.18 syntax
- Replaced calls to deprecated io/ioutil pkg
- Add multiple Go versions to the testing matrix.
- Bumped GitHub - stretchr/testify: A toolkit with common assertions and mocks that plays nicely with the standard library to v1.8.4
- Bumped GitHub - spf13/cobra: A Commander for modern Go CLI interactions to v1.7.0
- Bumped GitHub - spf13/viper: Go configuration with fangs to address reported vulnerabilities in yaml.v2
~> govulncheck -test ./...
Scanning your code and 210 packages across 21 dependent modules for known vulnerabilities...
Vulnerability https://github.com/nywilken/exercism-cli/pull/1: GO-2022-0956
Excessive resource consumption in gopkg.in/yaml.v2
More info: https://pkg.go.dev/vuln/GO-2022-0956
Module: gopkg.in/yaml.v2
Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d
Fixed in: gopkg.in/yaml.v2@v2.2.4
Example traces found:
https://github.com/nywilken/exercism-cli/pull/1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal
Vulnerability https://github.com/exercism/cli/issues/2: GO-2021-0061
Denial of service in gopkg.in/yaml.v2
More info: https://pkg.go.dev/vuln/GO-2021-0061
Module: gopkg.in/yaml.v2
Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d
Fixed in: gopkg.in/yaml.v2@v2.2.3
Example traces found:
https://github.com/nywilken/exercism-cli/pull/1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal
Vulnerability https://github.com/exercism/cli/issues/3: GO-2020-0036
Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
More info: https://pkg.go.dev/vuln/GO-2020-0036
Module: gopkg.in/yaml.v2
Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d
Fixed in: gopkg.in/yaml.v2@v2.2.8
Example traces found:
https://github.com/nywilken/exercism-cli/pull/1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal