Argo Workflows depends on a old version (v1.2.2) of "github.com/gogo/protobuf" with missing tag on github #14015
Labels
go
Pull requests that update Go dependencies
type/dependencies
PRs and issues specific to updating dependencies
type/feature
Feature request
Summary
Hello,
It seems that latest version of “argoproj/pkg” depends on a very old version of “k8s.io/api” (v0.17.8), and thus depends on a very old version of “github.com/gogo/protobuf” (v1.2.2).
That ends up with having “argoproj/argo-workflows” depending on a very old version of “github.com/gogo/protobuf” (v1.2.2).
This is a “license” and “traceability” issue as version “github.com/gogo/protobuf” “v1.2.2” does not exist anymore on github as an official tag, so without any official license :
https://github.com/gogo/protobuf/tags
It would be appropriate to upgrade “argoproj/pkg” with a new newer “k8s.io/api” version (for example, v0.32.0), so that Argo Workflows only depends on “github.com/gogo/protobuf” (v1.3.2).
Use Cases
Current Dependency chains :
https://github.com/argoproj/argo-workflows/blob/main/go.mod =>
github.com/argoproj/pkg v0.13.7-0.20240704113442-a69fd34a8117
https://github.com/argoproj/pkg/blob/master/go.mod =>
k8s.io/api v0.17.8
https://github.com/kubernetes/api/blob/v0.17.8/go.mod =>
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d
Expected dependency chains :
https://github.com/argoproj/pkg/blob/master/go.mod =>
k8s.io/api v0.32.0
https://github.com/kubernetes/api/blob/v0.32.0/go.mod =>
github.com/gogo/protobuf v1.3.2
Message from the maintainers:
Love this feature request? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: