diff --git a/.claude/commands/fix-vulnerabilities.md b/.claude/commands/fix-vulnerabilities.md new file mode 100644 index 000000000..ef8b62c0a --- /dev/null +++ b/.claude/commands/fix-vulnerabilities.md @@ -0,0 +1,55 @@ +--- +description: Check and fix Dependabot security vulnerabilities +allowed-tools: Bash(gh api:*), Bash(gh release:*), Bash(yarn:*), Bash(go:*), Bash(make:*), Bash(git branch:*), Bash(git checkout:*), Bash(git log:*), Bash(git add:*), Bash(gh pr create:*), Skill(commit), Skill(push) +--- + +Remediate security vulnerabilities reported by Dependabot. Follow these steps: + +## Step 1: Determine the base branch + +1. Get the repository owner/name from `gh repo view --json owner,name` +2. Get the latest release: `gh release list --limit 1` +3. Derive the release branch by replacing the patch version with `x` (e.g., `v1.4.2` → `v1.4.x`) +4. Verify the branch exists: `git branch -r | grep ` + +**Ask the user**: "The latest release is `{tag}` and the release branch is `{branch}`. Should I use this as the base branch, or use `develop` instead?" + +## Step 2: Check for vulnerabilities + +1. Run `gh api repos/{owner}/{repo}/dependabot/alerts --paginate` to list open alerts +2. Filter by state=open and sort by severity (critical/high first) +3. Present a summary table: Alert #, Package, Ecosystem, Severity, CVE, Fix Version + +**Ask the user**: Which vulnerabilities to fix (all high, specific ones, all)? + +## Step 3: Apply fixes + +### For npm dependencies: +1. Check current version: `yarn why ` +2. Check existing patterns: `git log --oneline --grep="vulnerab"` +3. Direct deps → update version in `package.json` +4. Transitive deps → add to `resolutions` in `package.json` +5. Run `yarn install` +6. Verify: `yarn why ` + +### For Go dependencies: +1. Run `go get @` +2. Run `go mod tidy` + +**Important**: For major version changes, ask user confirmation first. + +## Step 4: Build and test + +1. Go: Run `make` and `go test ./...` +2. npm: Run `yarn build` in the UI directory +3. Report failures before proceeding + +## Step 5: Commit, push, and create PR + +1. Checkout base branch and create: `fix/vulnerability-updates-{base-branch}` +2. Stage relevant files only (package.json, yarn.lock, go.mod, go.sum) +3. Use `/commit` with message listing packages, versions, and CVEs +4. Use `/push` to push the branch +5. Create PR: `gh pr create --base {base-branch}` with summary of fixes + +Return the PR URL when done. diff --git a/.github/workflows/01-steampipe-release.yaml b/.github/workflows/01-steampipe-release.yaml index 8e3d77bf4..937ebe903 100644 --- a/.github/workflows/01-steampipe-release.yaml +++ b/.github/workflows/01-steampipe-release.yaml @@ -111,7 +111,7 @@ jobs: - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Install GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff --git a/.github/workflows/10-test-lint.yaml b/.github/workflows/10-test-lint.yaml index ac417c355..394097739 100644 --- a/.github/workflows/10-test-lint.yaml +++ b/.github/workflows/10-test-lint.yaml @@ -26,16 +26,17 @@ jobs: path: pipe-fittings ref: v1.6.x - - name: Set up Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + # this is required, check golangci-lint-action docs + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: - go-version: 1.24 + go-version: '1.26' + cache: false # setup-go v4 caches by default, do not change this parameter, check golangci-lint-action doc: https://github.com/golangci/golangci-lint-action/pull/704 - name: golangci-lint - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 continue-on-error: true # we dont want to enforce just yet with: - version: v1.52.2 - args: --timeout=15m --config=.golangci.yml - skip-pkg-cache: true - skip-build-cache: true \ No newline at end of file + version: latest + args: --timeout=10m + working-directory: steampipe + skip-cache: true diff --git a/.github/workflows/11-test-acceptance.yaml b/.github/workflows/11-test-acceptance.yaml index a3dca6180..f93a8f460 100644 --- a/.github/workflows/11-test-acceptance.yaml +++ b/.github/workflows/11-test-acceptance.yaml @@ -29,7 +29,7 @@ jobs: - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Fetching Go Cache Paths id: go-cache-paths @@ -127,7 +127,7 @@ jobs: - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version: 1.24 + go-version: 1.26 - name: Prepare for downloads id: prepare-for-downloads diff --git a/.golangci.yml b/.golangci.yml index 5c9b05b15..fc35940c3 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,20 +1,20 @@ +version: "2" + linters: - disable-all: true + default: none enable: # default rules - errcheck - - gosimple - govet - ineffassign - staticcheck - - typecheck - unused # other rules - asasalint - asciicheck - bidichk + - depguard - durationcheck - - exportloopref - forbidigo - gocritic - gocheckcompilerdirectives @@ -25,20 +25,48 @@ linters: - reassign - sqlclosecheck - unconvert + settings: + nolintlint: + require-explanation: true + require-specific: true -linters-settings: - nolintlint: - require-explanation: true - require-specific: true + staticcheck: + checks: + - "all" + - "-ST*" # stylecheck: not previously enabled (merged into staticcheck in v2) + - "-QF*" # quickfix suggestions: not previously enabled (merged into staticcheck in v2) - gocritic: - disabled-checks: - - ifElseChain # style - - singleCaseSwitch # style & it's actually not a bad idea to use single case switch in some cases - - assignOp # style - - commentFormatting # style + gosec: + excludes: + - G101 # false positives on non-credential string constants + - G602 # false positives on range loops and safe slice access + - G706 # false positives on logging config/environment values + + forbidigo: + forbid: + - pattern: "^(fmt\\.Print(|f|ln)|print|println)$" + - pattern: "^(fmt\\.Fprint(|f|ln)|print|println)$" + + gocritic: + disabled-checks: + - ifElseChain # style + - singleCaseSwitch # style & it's actually not a bad idea to use single case switch in some cases + - assignOp # style + - commentFormatting # style + + depguard: + rules: + main: + deny: + - pkg: "github.com/pkg/errors" + desc: Should be replaced by standard lib errors package + exclusions: + presets: + - std-error-handling # errcheck: unchecked Close/Remove/print calls + - common-false-positives # gosec: G103, G204, G304 false positives + - legacy # gosec: G104, G301, G302, G307 + paths: + - "tests/acceptance" run: timeout: 5m - skip-dirs: - - "tests/acceptance" diff --git a/CHANGELOG.md b/CHANGELOG.md index 560581f1c..3d4c16dcc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## v2.4.0 [2026-02-27] +_Whats new_ +- Compiled with Go 1.26. + ## v2.3.6 [2026-02-20] _Bug fixes_ - Fix `date` and `timestamptz` display formatting in query results. ([#4450](https://github.com/turbot/steampipe/issues/4450)) diff --git a/go.mod b/go.mod index d479a9d77..b96448876 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/turbot/steampipe/v2 -go 1.24.0 +go 1.26.0 replace ( github.com/c-bata/go-prompt => github.com/turbot/go-prompt v0.2.6-steampipe.0.0.20221028122246-eb118ec58d50 @@ -41,7 +41,7 @@ require ( github.com/thediveo/enumflag/v2 v2.0.7 github.com/turbot/go-kit v1.3.0 github.com/turbot/pipe-fittings/v2 v2.7.3 - github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2 + github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0 github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed github.com/zclconf/go-cty v1.16.3 // indirect golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 diff --git a/go.sum b/go.sum index f120305e4..5bb0c2a2d 100644 --- a/go.sum +++ b/go.sum @@ -1262,8 +1262,8 @@ github.com/turbot/pipe-fittings/v2 v2.7.3 h1:DacY/pc8zERJYXszkomJCOi1YDK3e2chJ1H github.com/turbot/pipe-fittings/v2 v2.7.3/go.mod h1:VYqcgGrYDLsGxn1r4dOkkEh5/KDEgJgUU+nf0SAODY0= github.com/turbot/pipes-sdk-go v0.12.1 h1:mF9Z9Mr6F0uqlWjd1mQn+jqT24GPvWDFDrFTvmkazHc= github.com/turbot/pipes-sdk-go v0.12.1/go.mod h1:iQE0ebN74yqiCRrfv7izxVMRcNlZftPWWDPsMFwejt4= -github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2 h1:4SSI20DCC0N3ItU1HGytCaxaekQMKpYuMOySezQ32zQ= -github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2/go.mod h1:qmfaXKt9z+TgUaFoKkKzwZAwYA5h2Mf/3yuoc+P6otY= +github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0 h1:CyufzeM2BMbA2nJRuujucchp9NZ6BEeYA2phhdMXsW4= +github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0/go.mod h1:VHKUVPx29JEHXjuY9Kj/fdabceHdGQB1kaH4Dik/XY8= github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed h1:1ROP+kYJ0vaJu04qpQO5V2PVrUqG7VZmYXzcyP/yDT0= github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed/go.mod h1:QJMOFtDVHtXLCJr6luh4oFgk6dtdCImDh7XbIXxnGsc= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= diff --git a/pkg/constants/db.go b/pkg/constants/db.go index 74118bbab..92b4644cc 100644 --- a/pkg/constants/db.go +++ b/pkg/constants/db.go @@ -28,7 +28,7 @@ const ( // constants for installing db and fdw images const ( DatabaseVersion = "14.19.0" - FdwVersion = "2.1.5" + FdwVersion = "2.2.0" // PostgresImageRef is the OCI Image ref for the database binaries PostgresImageRef = "ghcr.io/turbot/steampipe/db:14.19.0"