Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package steampipe for openSUSE:Factory checked in at 2026-03-04 21:07:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/steampipe (Old) and /work/SRC/openSUSE:Factory/.steampipe.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "steampipe" Wed Mar 4 21:07:54 2026 rev:17 rq:1336206 version:2.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/steampipe/steampipe.changes 2026-02-24 15:39:57.833809430 +0100 +++ /work/SRC/openSUSE:Factory/.steampipe.new.561/steampipe.changes 2026-03-04 21:08:32.464688297 +0100 @@ -1,0 +2,8 @@ +Mon Mar 02 07:15:59 UTC 2026 - Felix Niederwanger <[email protected]> + +- Update to version 2.4.0: + * v2.4.0 + * Upgrade Go to 1.26, FDW to 2.2.0, SDK to v5.14.0, and golangci-lint to v2 + * Add Claude Code command for fixing Dependabot vulnerabilities (#4927) + +------------------------------------------------------------------- Old: ---- steampipe-2.3.6.obscpio New: ---- steampipe-2.4.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ steampipe.spec ++++++ --- /var/tmp/diff_new_pack.EGlQMQ/_old 2026-03-04 21:08:33.536732598 +0100 +++ /var/tmp/diff_new_pack.EGlQMQ/_new 2026-03-04 21:08:33.536732598 +0100 @@ -17,7 +17,7 @@ Name: steampipe -Version: 2.3.6 +Version: 2.4.0 Release: 0 Summary: Query various APIs and services via SQL language License: AGPL-3.0-only @@ -25,7 +25,7 @@ Source: %{name}-%{version}.tar.gz Source1: vendor.tar.gz BuildRequires: golang-packaging -BuildRequires: golang(API) >= 1.24 +BuildRequires: golang(API) >= 1.26 %{go_nostrip} %description ++++++ _service ++++++ --- /var/tmp/diff_new_pack.EGlQMQ/_old 2026-03-04 21:08:33.612735740 +0100 +++ /var/tmp/diff_new_pack.EGlQMQ/_new 2026-03-04 21:08:33.628736401 +0100 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/turbot/steampipe.git</param> <param name="scm">git</param> - <param name="revision">v2.3.6</param> + <param name="revision">v2.4.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.EGlQMQ/_old 2026-03-04 21:08:33.660737723 +0100 +++ /var/tmp/diff_new_pack.EGlQMQ/_new 2026-03-04 21:08:33.676738384 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/turbot/steampipe.git</param> - <param name="changesrevision">b713a4cdc6a1799531d0f8192713b6b7f6b3725e</param></service></servicedata> + <param name="changesrevision">bb83baeaa9d360b29c59fea9415a0900f45971f7</param></service></servicedata> (No newline at EOF) ++++++ steampipe-2.3.6.obscpio -> steampipe-2.4.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/.claude/commands/fix-vulnerabilities.md new/steampipe-2.4.0/.claude/commands/fix-vulnerabilities.md --- old/steampipe-2.3.6/.claude/commands/fix-vulnerabilities.md 1970-01-01 01:00:00.000000000 +0100 +++ new/steampipe-2.4.0/.claude/commands/fix-vulnerabilities.md 2026-02-27 12:33:35.000000000 +0100 @@ -0,0 +1,55 @@ +--- +description: Check and fix Dependabot security vulnerabilities +allowed-tools: Bash(gh api:*), Bash(gh release:*), Bash(yarn:*), Bash(go:*), Bash(make:*), Bash(git branch:*), Bash(git checkout:*), Bash(git log:*), Bash(git add:*), Bash(gh pr create:*), Skill(commit), Skill(push) +--- + +Remediate security vulnerabilities reported by Dependabot. Follow these steps: + +## Step 1: Determine the base branch + +1. Get the repository owner/name from `gh repo view --json owner,name` +2. Get the latest release: `gh release list --limit 1` +3. Derive the release branch by replacing the patch version with `x` (e.g., `v1.4.2` → `v1.4.x`) +4. Verify the branch exists: `git branch -r | grep <branch>` + +**Ask the user**: "The latest release is `{tag}` and the release branch is `{branch}`. Should I use this as the base branch, or use `develop` instead?" + +## Step 2: Check for vulnerabilities + +1. Run `gh api repos/{owner}/{repo}/dependabot/alerts --paginate` to list open alerts +2. Filter by state=open and sort by severity (critical/high first) +3. Present a summary table: Alert #, Package, Ecosystem, Severity, CVE, Fix Version + +**Ask the user**: Which vulnerabilities to fix (all high, specific ones, all)? + +## Step 3: Apply fixes + +### For npm dependencies: +1. Check current version: `yarn why <package>` +2. Check existing patterns: `git log --oneline --grep="vulnerab"` +3. Direct deps → update version in `package.json` +4. Transitive deps → add to `resolutions` in `package.json` +5. Run `yarn install` +6. Verify: `yarn why <package>` + +### For Go dependencies: +1. Run `go get <package>@<version>` +2. Run `go mod tidy` + +**Important**: For major version changes, ask user confirmation first. + +## Step 4: Build and test + +1. Go: Run `make` and `go test ./...` +2. npm: Run `yarn build` in the UI directory +3. Report failures before proceeding + +## Step 5: Commit, push, and create PR + +1. Checkout base branch and create: `fix/vulnerability-updates-{base-branch}` +2. Stage relevant files only (package.json, yarn.lock, go.mod, go.sum) +3. Use `/commit` with message listing packages, versions, and CVEs +4. Use `/push` to push the branch +5. Create PR: `gh pr create --base {base-branch}` with summary of fixes + +Return the PR URL when done. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/.github/workflows/01-steampipe-release.yaml new/steampipe-2.4.0/.github/workflows/01-steampipe-release.yaml --- old/steampipe-2.3.6/.github/workflows/01-steampipe-release.yaml 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/.github/workflows/01-steampipe-release.yaml 2026-02-27 12:33:35.000000000 +0100 @@ -111,7 +111,7 @@ - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Install GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/.github/workflows/10-test-lint.yaml new/steampipe-2.4.0/.github/workflows/10-test-lint.yaml --- old/steampipe-2.3.6/.github/workflows/10-test-lint.yaml 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/.github/workflows/10-test-lint.yaml 2026-02-27 12:33:35.000000000 +0100 @@ -26,16 +26,17 @@ path: pipe-fittings ref: v1.6.x - - name: Set up Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + # this is required, check golangci-lint-action docs + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: - go-version: 1.24 + go-version: '1.26' + cache: false # setup-go v4 caches by default, do not change this parameter, check golangci-lint-action doc: https://github.com/golangci/golangci-lint-action/pull/704 - name: golangci-lint - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 continue-on-error: true # we dont want to enforce just yet with: - version: v1.52.2 - args: --timeout=15m --config=.golangci.yml - skip-pkg-cache: true - skip-build-cache: true \ No newline at end of file + version: latest + args: --timeout=10m + working-directory: steampipe + skip-cache: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/.github/workflows/11-test-acceptance.yaml new/steampipe-2.4.0/.github/workflows/11-test-acceptance.yaml --- old/steampipe-2.3.6/.github/workflows/11-test-acceptance.yaml 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/.github/workflows/11-test-acceptance.yaml 2026-02-27 12:33:35.000000000 +0100 @@ -29,7 +29,7 @@ - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Fetching Go Cache Paths id: go-cache-paths @@ -127,7 +127,7 @@ - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Prepare for downloads id: prepare-for-downloads diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/.golangci.yml new/steampipe-2.4.0/.golangci.yml --- old/steampipe-2.3.6/.golangci.yml 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/.golangci.yml 2026-02-27 12:33:35.000000000 +0100 @@ -1,20 +1,20 @@ +version: "2" + linters: - disable-all: true + default: none enable: # default rules - errcheck - - gosimple - govet - ineffassign - staticcheck - - typecheck - unused # other rules - asasalint - asciicheck - bidichk + - depguard - durationcheck - - exportloopref - forbidigo - gocritic - gocheckcompilerdirectives @@ -25,20 +25,48 @@ - reassign - sqlclosecheck - unconvert + settings: + nolintlint: + require-explanation: true + require-specific: true + + staticcheck: + checks: + - "all" + - "-ST*" # stylecheck: not previously enabled (merged into staticcheck in v2) + - "-QF*" # quickfix suggestions: not previously enabled (merged into staticcheck in v2) + + gosec: + excludes: + - G101 # false positives on non-credential string constants + - G602 # false positives on range loops and safe slice access + - G706 # false positives on logging config/environment values + + forbidigo: + forbid: + - pattern: "^(fmt\\.Print(|f|ln)|print|println)$" + - pattern: "^(fmt\\.Fprint(|f|ln)|print|println)$" + + gocritic: + disabled-checks: + - ifElseChain # style + - singleCaseSwitch # style & it's actually not a bad idea to use single case switch in some cases + - assignOp # style + - commentFormatting # style -linters-settings: - nolintlint: - require-explanation: true - require-specific: true - - gocritic: - disabled-checks: - - ifElseChain # style - - singleCaseSwitch # style & it's actually not a bad idea to use single case switch in some cases - - assignOp # style - - commentFormatting # style + depguard: + rules: + main: + deny: + - pkg: "github.com/pkg/errors" + desc: Should be replaced by standard lib errors package + exclusions: + presets: + - std-error-handling # errcheck: unchecked Close/Remove/print calls + - common-false-positives # gosec: G103, G204, G304 false positives + - legacy # gosec: G104, G301, G302, G307 + paths: + - "tests/acceptance" run: timeout: 5m - skip-dirs: - - "tests/acceptance" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/CHANGELOG.md new/steampipe-2.4.0/CHANGELOG.md --- old/steampipe-2.3.6/CHANGELOG.md 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/CHANGELOG.md 2026-02-27 12:33:35.000000000 +0100 @@ -1,3 +1,7 @@ +## v2.4.0 [2026-02-27] +_Whats new_ +- Compiled with Go 1.26. + ## v2.3.6 [2026-02-20] _Bug fixes_ - Fix `date` and `timestamptz` display formatting in query results. ([#4450](https://github.com/turbot/steampipe/issues/4450)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/go.mod new/steampipe-2.4.0/go.mod --- old/steampipe-2.3.6/go.mod 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/go.mod 2026-02-27 12:33:35.000000000 +0100 @@ -1,6 +1,6 @@ module github.com/turbot/steampipe/v2 -go 1.24.0 +go 1.26.0 replace ( github.com/c-bata/go-prompt => github.com/turbot/go-prompt v0.2.6-steampipe.0.0.20221028122246-eb118ec58d50 @@ -41,7 +41,7 @@ github.com/thediveo/enumflag/v2 v2.0.7 github.com/turbot/go-kit v1.3.0 github.com/turbot/pipe-fittings/v2 v2.7.3 - github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2 + github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0 github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed github.com/zclconf/go-cty v1.16.3 // indirect golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/go.sum new/steampipe-2.4.0/go.sum --- old/steampipe-2.3.6/go.sum 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/go.sum 2026-02-27 12:33:35.000000000 +0100 @@ -1262,8 +1262,8 @@ github.com/turbot/pipe-fittings/v2 v2.7.3/go.mod h1:VYqcgGrYDLsGxn1r4dOkkEh5/KDEgJgUU+nf0SAODY0= github.com/turbot/pipes-sdk-go v0.12.1 h1:mF9Z9Mr6F0uqlWjd1mQn+jqT24GPvWDFDrFTvmkazHc= github.com/turbot/pipes-sdk-go v0.12.1/go.mod h1:iQE0ebN74yqiCRrfv7izxVMRcNlZftPWWDPsMFwejt4= -github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2 h1:4SSI20DCC0N3ItU1HGytCaxaekQMKpYuMOySezQ32zQ= -github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2/go.mod h1:qmfaXKt9z+TgUaFoKkKzwZAwYA5h2Mf/3yuoc+P6otY= +github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0 h1:CyufzeM2BMbA2nJRuujucchp9NZ6BEeYA2phhdMXsW4= +github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0/go.mod h1:VHKUVPx29JEHXjuY9Kj/fdabceHdGQB1kaH4Dik/XY8= github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed h1:1ROP+kYJ0vaJu04qpQO5V2PVrUqG7VZmYXzcyP/yDT0= github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed/go.mod h1:QJMOFtDVHtXLCJr6luh4oFgk6dtdCImDh7XbIXxnGsc= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/steampipe-2.3.6/pkg/constants/db.go new/steampipe-2.4.0/pkg/constants/db.go --- old/steampipe-2.3.6/pkg/constants/db.go 2026-02-20 10:26:24.000000000 +0100 +++ new/steampipe-2.4.0/pkg/constants/db.go 2026-02-27 12:33:35.000000000 +0100 @@ -28,7 +28,7 @@ // constants for installing db and fdw images const ( DatabaseVersion = "14.19.0" - FdwVersion = "2.1.5" + FdwVersion = "2.2.0" // PostgresImageRef is the OCI Image ref for the database binaries PostgresImageRef = "ghcr.io/turbot/steampipe/db:14.19.0" ++++++ steampipe.obsinfo ++++++ --- /var/tmp/diff_new_pack.EGlQMQ/_old 2026-03-04 21:08:35.104797404 +0100 +++ /var/tmp/diff_new_pack.EGlQMQ/_new 2026-03-04 21:08:35.124798231 +0100 @@ -1,5 +1,5 @@ name: steampipe -version: 2.3.6 -mtime: 1771579584 -commit: b713a4cdc6a1799531d0f8192713b6b7f6b3725e +version: 2.4.0 +mtime: 1772192015 +commit: bb83baeaa9d360b29c59fea9415a0900f45971f7 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/steampipe/vendor.tar.gz /work/SRC/openSUSE:Factory/.steampipe.new.561/vendor.tar.gz differ: char 117, line 2
