Fix CVEs: upgrade go-gh v2 and cli/cli v2#112
Conversation
There was a problem hiding this comment.
Pull request overview
This PR upgrades vulnerable CLI dependencies to address multiple CVEs, updating both go-gh (v1.2.1 → v2.11.1) and cli/cli (v2.24.3 → v2.63.1). The changes include migrating import paths to the v2 module, updating API usage to accommodate breaking changes (RESTClient now returns a pointer type), and fixing URL formatting issues revealed by stricter compiler checks.
Key changes:
- Dependency upgrades to fix CVE-2024-53859, CVE-2024-54132, CVE-2024-52308, and CVE-2024-53858
- Migration of all imports from
github.com/cli/go-ghtogithub.com/cli/go-gh/v2 - API changes:
gh.RESTClient(nil)→api.DefaultRESTClient()returning*api.RESTClient - URL helper fixes in classroom.go to use proper string formatting
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Updated dependency versions and Go version requirements |
| go.sum | Updated checksums for new dependency versions |
| pkg/classroom/http.go | Changed RESTClient parameter types from value to pointer |
| pkg/classroom/http_test.go | Updated to use api.DefaultRESTClient() |
| pkg/classroom/classroom.go | Fixed URL formatting to eliminate unnecessary fmt.Sprintf calls |
| cmd/gh-classroom//.go | Updated imports and client initialization across all command files |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
smashwilson
left a comment
There was a problem hiding this comment.
All the changes look fairly rote to me 👍🏻 . As long as the tests are green this should do it.
|
@smashwilson Also did some manual testing to be sure but it was pretty straight forward. |
Updates vulnerable CLI dependencies and keeps the project building:\n\n- Upgrade github.com/cli/go-gh to v2.11.1 (CVE-2024-53859) and migrate imports/API usage to go-gh/v2\n- Upgrade github.com/cli/cli/v2 to v2.63.1 (covers CVE-2024-54132 and CVE-2024-52308; also above the fixed boundary for CVE-2024-53858)\n- Minor URL helper tweak to satisfy go vet after dependency upgrades\n\nValidation: go test ./...