Skip to content

[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 #24135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 28, 2025
Merged

[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 #24135

merged 5 commits into from
Mar 28, 2025

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Mar 28, 2025

Motivation

In apache/pulsar, we have an unresolved vulnerability in pulsar-function-go, CVE-2025-22870

Modifications

  • Upgrade dependencies in pulsar-function-go and pulsar-function-go/examples
  • golang.org/x/net requires at least golang 1.23, so that is upgraded
  • pulsar-client-go has been upgraded from 0.8.0 to 0.14.0

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari self-assigned this Mar 28, 2025
Copilot
Copilot AI reviewed Mar 28, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR upgrades the dependencies for pulsar-function-go to mitigate CVE-2025-22870 by updating the Go version and relevant libraries.

  • Updated Go version in the CI workflow from 1.21 to 1.23
  • Upgraded pulsar-client-go from 0.8.0 to 0.14.0 in the broader PR context
Files not reviewed (2)
  • pulsar-function-go/examples/go.mod: Language not supported
  • pulsar-function-go/go.mod: Language not supported

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 28, 2025
@lhotari lhotari changed the title [sec][fn] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 [fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 Mar 28, 2025
@lhotari lhotari requested a review from merlimat March 28, 2025 09:14
@codecov-commenter
Copy link

codecov-commenter commented Mar 28, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.20%. Comparing base (bbc6224) to head (0834e5e).
Report is 1001 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #24135      +/-   ##
============================================
+ Coverage     73.57%   74.20%   +0.63%     
+ Complexity    32624    32111     -513     
============================================
  Files          1877     1864      -13     
  Lines        139502   144453    +4951     
  Branches      15299    16479    +1180     
============================================
+ Hits         102638   107192    +4554     
+ Misses        28908    28799     -109     
- Partials       7956     8462     +506
Flag Coverage Δ
inttests 26.64% <ø> (+2.06%) ⬆️
systests 23.18% <ø> (-1.14%) ⬇️
unittests 73.71% <ø> (+0.87%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1070 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari merged commit 371020d into apache:master Mar 28, 2025
53 checks passed
lhotari added a commit that referenced this pull request Mar 28, 2025
@lhotari
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
733d37e 
…5-22870 (#24135)

(cherry picked from commit 371020d)
lhotari added a commit that referenced this pull request Mar 28, 2025
@lhotari
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
c14e64e 
…5-22870 (#24135)

(cherry picked from commit 371020d)
lhotari added a commit that referenced this pull request Mar 28, 2025
@lhotari
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
2be02a4 
…5-22870 (#24135)

(cherry picked from commit 371020d)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 3, 2025
@lhotari @nikhil-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
b953603 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 2be02a4)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 3, 2025
@lhotari @nikhil-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
000ee87 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 733d37e)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 3, 2025
@lhotari @nikhil-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
fe28e59 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 2be02a4)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 8, 2025
@lhotari @nikhil-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
ce3175d 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 2be02a4)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 8, 2025
@lhotari @srinath-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
3164e2d 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 2be02a4)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Apr 11, 2025
@lhotari @srinath-ctds
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
7beefa6 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
(cherry picked from commit 733d37e)
nodece pushed a commit to nodece/pulsar that referenced this pull request Apr 22, 2025
@lhotari @nodece
[fix][sec] Upgrade pulsar-function-go dependencies to address CVE-202…
4a1f99c 
…5-22870 (apache#24135)

(cherry picked from commit 371020d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@nodece nodece nodece approved these changes

@gaoran10 gaoran10 Awaiting requested review from gaoran10

@wolfstudy wolfstudy Awaiting requested review from wolfstudy

@shibd shibd Awaiting requested review from shibd

@merlimat merlimat Awaiting requested review from merlimat

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.11 release/3.3.6 release/4.0.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @codecov-commenter @nodece