moonming opened a new pull request, #13679:
URL: https://github.com/apache/apisix/pull/13679

   ### Description
   
   Clears **all 40 open Dependabot alerts**, every one of which is in the test 
tree (`t/`); none affect the shipped runtime.
   
   **1. Remove `t/chaos` (26 alerts — 1 critical + 13 high + 12 medium)**
   
   The Chaos Mesh / etcd chaos suite is no longer referenced by any CI 
workflow, Makefile target, or license config — it is dead code. Its `go.mod` 
pins `k8s.io/client-go v0.17.0` (2019), which drags in a large set of ancient, 
vulnerable transitive Go dependencies (`x/crypto`, `x/net`, `gogo/protobuf`, 
`fasthttp` …) that account for the bulk of the repo's Dependabot noise, 
including the only `critical` alert (`GHSA-v778-237x-gjrc`, `x/crypto` 
`PublicKeyCallback` auth bypass). These deps cannot be bumped in place because 
the old `client-go` pins them. Since the suite is unused and test-only (APISIX 
runtime is Lua/OpenResty), the clean fix is to delete it. A lighter 
dependency-pruning attempt in #13554 left these 26 alerts standing.
   
   **2. Bump `golang.org/x/net` → `v0.55.0` in the two test gRPC modules (2 
alerts)**
   
   `t/plugin/grpc-web` and `t/grpc_server_example`, the first patched release. 
`x/net v0.55.0` requires `go 1.25`, so the two modules' `go` directives move to 
`1.25` and the Go toolchain used to build these test servers is bumped to 
`1.25.1` (`.github/workflows/build.yml` and `ci/redhat-ci.sh`, which pinned the 
2021-era `go1.17`).
   
   **3. Pin vulnerable transitive npm deps via `pnpm.overrides` (12 alerts)**
   
   In `t/package.json`, to the first patched release within the same major 
(avoids breaking the test suite):
   
   | package | was | now |
   |---|---|---|
   | `hono` | 4.11.7 | 4.12.28 (`>=4.12.25`) |
   | `js-yaml` | 3.14.1 | 3.15.0 (`^3.15.0`) |
   | `form-data` | 4.0.5 | 4.0.6 (`^4.0.6`) |
   | `@babel/core` | 7.28.0 | 7.29.7 (`^7.29.6`) |
   
   ### Verification
   
   - `t/grpc_server_example`: `go build ./...` OK, `go mod verify` OK.
   - `t/plugin/grpc-web`: `go.mod`/`go.sum` updated to `x/net v0.55.0`, `go mod 
verify` OK (`go mod tidy` needs the protoc-generated `a6` package, produced at 
CI time).
   - `t/pnpm-lock.yaml` regenerated with pnpm 10.14.0 (the pinned 
`packageManager`); changes are confined to the four subtrees above; 
`lockfileVersion` unchanged.
   - No remaining reference to `t/chaos` anywhere in the repo.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to