Skip to content

fix(deps): bump golang.org/x/crypto and migrate yaml.v3 to maintained fork#3009

Merged
omer-topal merged 1 commit into
Permify:masterfrom
jeremylem:fix/security-deps-x-crypto-yaml
Jul 2, 2026
Merged

fix(deps): bump golang.org/x/crypto and migrate yaml.v3 to maintained fork#3009
omer-topal merged 1 commit into
Permify:masterfrom
jeremylem:fix/security-deps-x-crypto-yaml

Conversation

@jeremylem

@jeremylem jeremylem commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR resolves two security findings reported by container image scanners against the v1.7.1 release:

  1. CVEs in golang.org/x/crypto v0.51.0 β€” all in the ssh subpackage. Bumped to v0.53.0 (latest as of 2026-06-19), which contains the upstream fixes (GO-2026-5005, 5006, 5013, 5014, 5015, 5016, 5017, 5018, 5019, 5020, 5021, 5023, 5033).
  2. gopkg.in/yaml.v3 v3.0.1 end-of-life β€” the upstream go-yaml/yaml repository was archived in April 2024 and will not receive further patches. Migrated the two runtime imports to go.yaml.in/yaml/v3 v3.0.4, the actively maintained community successor that was already present in this repo as an indirect dependency.

Changes

  • go.mod / go.sum: bump golang.org/x/crypto to v0.53.0; promote go.yaml.in/yaml/v3 from indirect to direct require; drop the direct require on gopkg.in/yaml.v3. Routine go mod tidy also bumps golang.org/x/sync, sys, term, text, and tools to current patch versions.
  • pkg/development/file/decoder.go and pkg/development/development.go: swap the yaml import path. No API or behaviour changes β€” go.yaml.in/yaml/v3 is a drop-in replacement that exports the same yaml.Marshal / yaml.Unmarshal.

Note: gopkg.in/yaml.v3 still appears as // indirect in go.mod because golangci-lint (a build-time developer tool) transitively requires it. It is not in the production binary's call graph.

Verification

Check Result
go build ./cmd/permify ok
go vet ./... ok
go test ./pkg/development/... ok
govulncheck ./cmd/permify (source mode) No vulnerabilities found
govulncheck -mode=binary against the resulting binary No vulnerabilities found

Before this change, govulncheck reported 13 SSH-subpackage vulnerabilities present in the binary (none reachable from main per source-mode analysis, but still flagged by container scanners). After this change, both modes return clean.

Compatibility

  • go.yaml.in/yaml/v3 v3.0.x has the same public API as gopkg.in/yaml.v3 v3.0.x β€” the migration is a straight import-path rename, no code adjustments needed.
  • golang.org/x/crypto v0.53.0 is API-compatible with v0.51.0.

Summary by CodeRabbit

  • Chores
    • Updated Go module dependencies including security, cryptography, and system-level libraries to their latest versions.
    • Migrated YAML library implementation for improved compatibility and long-term maintenance.

… fork

Resolves SSH-subpackage CVEs in golang.org/x/crypto and removes the runtime
dependency on the archived gopkg.in/yaml.v3 module.

Changes:
- golang.org/x/crypto v0.51.0 -> v0.53.0 (indirect, fixes GO-2026-5005,
  5006, 5013, 5014, 5015, 5016, 5017, 5018, 5019, 5020, 5021, 5023, 5033)
- gopkg.in/yaml.v3 v3.0.1 -> go.yaml.in/yaml/v3 v3.0.4: migrate the two
  runtime imports in pkg/development/file/decoder.go and
  pkg/development/development.go to the maintained successor module.

The previous module path gopkg.in/yaml.v3 was archived upstream in
April 2024 and will not receive future patches. go.yaml.in/yaml/v3 is
the actively maintained community fork and was already present as an
indirect dependency in this repo.

Verification:
- go build ./cmd/permify: ok
- go vet ./...: ok
- go test ./pkg/development/...: ok
- govulncheck ./cmd/permify (source mode): No vulnerabilities found
- govulncheck -mode=binary on the resulting binary: No vulnerabilities found
@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown

All contributors have signed the CLA ✍️ βœ…
Posted by the CLA Assistant Lite bot.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. πŸŽ‰

ℹ️ Recent review info
βš™οΈ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7896e0aa-de96-48a3-ad7d-e1280cd07427

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between aa3a7c6 and 5720e90.

β›” Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
πŸ“’ Files selected for processing (3)
  • go.mod
  • pkg/development/development.go
  • pkg/development/file/decoder.go

πŸ“ Walkthrough

Walkthrough

Two source files (pkg/development/development.go and pkg/development/file/decoder.go) replace their YAML v3 import path from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3. Correspondingly, go.mod promotes go.yaml.in/yaml/v3 to a direct dependency and bumps several golang.org/x/* indirect packages.

Changes

YAML library migration and dependency bump

Layer / File(s) Summary
YAML import path change in source files
pkg/development/development.go, pkg/development/file/decoder.go
Both files replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3; marshal/unmarshal call sites are unchanged.
go.mod: direct YAML dependency and x/* version bumps
go.mod
go.yaml.in/yaml/v3 is promoted from indirect to direct; golang.org/x/sync, mod, term, crypto, sys, text, and tools are bumped; gopkg.in/yaml.v3 is moved to a later require block as indirect.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

πŸ‡ Hippity hop, a new YAML path,
From gopkg.in down a different math,
go.yaml.in is where we now roam,
With x/crypto and friends finding home.
The module is tidy, the rabbit delights β€”
Updated deps shine like carrots at night! πŸ₯•

πŸš₯ Pre-merge checks | βœ… 5
βœ… Passed checks (5 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check βœ… Passed The title directly matches the main changes: bumping golang.org/x/crypto and migrating yaml.v3 to the maintained fork go.yaml.in/yaml/v3, addressing security vulnerabilities and dependency maintenance issues.
Docstring Coverage βœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check βœ… Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check βœ… Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@jeremylem

Copy link
Copy Markdown
Contributor Author

I have read the CLA Document and I hereby sign the CLA

github-actions Bot added a commit that referenced this pull request Jun 19, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

βœ… All modified and coverable lines are covered by tests.
βœ… Project coverage is 74.66%. Comparing base (f51ca16) to head (5720e90).
⚠️ Report is 7 commits behind head on master.

❌ Your project check has failed because the head coverage (74.66%) is below the target coverage (75.00%). You can increase the head coverage or adjust the target coverage.

❗ There is a different number of reports uploaded between BASE (f51ca16) and HEAD (5720e90). Click for more details.

HEAD has 2 uploads less than BASE
Flag BASE (f51ca16) HEAD (5720e90)
3 1
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3009      +/-   ##
==========================================
- Coverage   82.58%   74.66%   -7.92%     
==========================================
  Files          74       83       +9     
  Lines        8300     9212     +912     
==========================================
+ Hits         6854     6877      +23     
- Misses        910     1799     +889     
  Partials      536      536              

β˜” View full report in Codecov by Harness.
πŸ“’ Have feedback on the report? Share it here.

πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • πŸ“¦ JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@omer-topal omer-topal merged commit 9277c58 into Permify:master Jul 2, 2026
10 of 13 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 2, 2026
@omer-topal

Copy link
Copy Markdown
Contributor

Thanks for the contribution @jeremylem!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants