Merge pull request #348 from decentral1se/update-deps

chore: update deps / dependabot / go 1.17 requirement
2022-11-08 15:56:13 +01:00 · 2022-11-08 15:56:13 +01:00 · f1645cd0f6
parent 00a1452cfc bf3a7a61bf
commit f1645cd0f6
8 changed files with 846 additions and 157 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -25,8 +25,8 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2
      with:
-        go-version: 1.16
-    
+        go-version: 1.17
+
    - name: Get dependencies
      run: go get -v -t -d ./...

@ -54,4 +54,3 @@ jobs:
      with:
        commit_message: update production style.css
        file_pattern: web/assets/style.css
-
--- a/2
+++ b/2
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: Unlicense

-FROM golang:1.16-alpine
+FROM golang:1.17-alpine

 RUN apk add --no-cache \
      build-base \
--- a/docs/deployment.md
+++ b/docs/deployment.md
@ -22,7 +22,7 @@ After running `sudo dpkg -i go-ssb-room_v1.2.3_Linux_x86_64.deb` pay special att

 ## Creating a build

-* [Download Go](https://golang.org/doc/install) & [set up your Go environment](https://golang.org/doc/install#install). You will need at least Go v1.16.
+* [Download Go](https://golang.org/doc/install) & [set up your Go environment](https://golang.org/doc/install#install). You will need at least Go v1.17.
 * Download the repository `git clone git@github.com:ssbc/go-ssb-room.git && cd go-ssb-room`
 * [Follow the development instructions](./development.md)
 * You should now have a working go-ssb-room binary! Read the HTTP Hosting section below and admin
@ -163,6 +163,8 @@ If you installed the Debian package, you will first need to install Go to build
 sudo apt-get install golang-go
 ```

+(**WARNING**: please check that `golang-go` is >= 1.17 and if not, you may need to use the [official installation documentation](https://go.dev/dl/) instead. `go-ssb-room` requires at least Go 1.17.)
+
 In a new terminal window navigate to the insert-user utility folder and compile the GO-based utility into an executable your computer can use

 ```
--- a/docs/development.md
+++ b/docs/development.md
@ -6,7 +6,7 @@ SPDX-License-Identifier: CC0-1.0

 ## Development notes

-To get started, you need a recent version of [Go](https://golang.org). v1.16 and onward should be sufficient.
+To get started, you need a recent version of [Go](https://golang.org). v1.17 and onward should be sufficient.

 Also, if you want to develop the CSS and HTML on the website, you need Node.js v14 in order to compile Tailwind.

--- a/go.mod
+++ b/go.mod
@ -7,54 +7,55 @@ module github.com/ssbc/go-ssb-room/v2
 go 1.16

 require (
-	github.com/BurntSushi/toml v0.3.1
-	github.com/PuerkitoBio/goquery v1.5.0
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.2.1
+	github.com/PuerkitoBio/goquery v1.8.0
 	github.com/dustin/go-humanize v1.0.0
 	github.com/friendsofgo/errors v0.9.2
+	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/gofrs/uuid v4.0.0+incompatible // indirect
-	github.com/gorilla/csrf v1.7.0
+	github.com/gomodule/redigo v2.0.0+incompatible // indirect
+	github.com/gorilla/csrf v1.7.1
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/sessions v1.2.1
-	github.com/gorilla/websocket v1.4.2
-	github.com/mattevans/pwned-passwords v0.3.0
-	github.com/mattn/go-sqlite3 v2.0.3+incompatible
+	github.com/gorilla/websocket v1.5.0
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/mattevans/pwned-passwords v0.6.0
+	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0
-	github.com/mileusna/useragent v1.0.2
-	github.com/nicksnyder/go-i18n/v2 v2.1.2
+	github.com/mileusna/useragent v1.2.1
+	github.com/nicksnyder/go-i18n/v2 v2.2.0
+	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/rubenv/sql-migrate v0.0.0-20200616145509-8d140a17f351
+	github.com/rubenv/sql-migrate v1.2.0
 	github.com/russross/blackfriday/v2 v2.1.0
+	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/ssbc/go-muxrpc/v2 v2.0.14-0.20221020091224-b09bdf60812f
 	github.com/ssbc/go-netwrap v0.1.5-0.20221019160355-cd323bb2e29d
 	github.com/ssbc/go-secretstream v1.2.11-0.20221019175226-fa042d4912fe
 	github.com/ssbc/go-ssb-refs v0.5.2-0.20221019090322-8b558c2f31de
-	github.com/stretchr/testify v1.8.0
-	github.com/throttled/throttled/v2 v2.7.1
-	github.com/unrolled/secure v1.0.8
+	github.com/stretchr/testify v1.8.1
+	github.com/throttled/throttled/v2 v2.9.1
+	github.com/unrolled/secure v1.13.0
 	github.com/vcraescu/go-paginator/v2 v2.0.0
-	github.com/volatiletech/sqlboiler/v4 v4.5.0
-	github.com/volatiletech/strmangle v0.0.1
+	github.com/volatiletech/sqlboiler/v4 v4.13.0
+	github.com/volatiletech/strmangle v0.0.4
 	go.cryptoscope.co/nocomment v0.0.0-20210520094614-fb744e81f810
 	go.mindeco.de v1.12.0
-	golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/text v0.3.5
-	golang.org/x/tools v0.1.1
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	golang.org/x/crypto v0.1.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/text v0.4.0
+	golang.org/x/tools v0.1.12
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	gorm.io/gorm v1.24.1 // indirect
 )

 exclude go.cryptoscope.co/ssb v0.0.0-20201207161753-31d0f24b7a79

-// We need our internal/extra25519 since agl pulled his repo recently.
-// Issue: https://github.com/cryptoscope/ssb/issues/44
-// Ours uses a fork of x/crypto where edwards25519 is not an internal package,
-// This seemed like the easiest change to port agl's extra25519 to use x/crypto
-// Background: https://github.com/agl/ed25519/issues/27#issuecomment-591073699
-// The branch in use: https://github.com/cryptix/golang_x_crypto/tree/non-internal-edwards
-replace golang.org/x/crypto => github.com/cryptix/golang_x_crypto v0.0.0-20200924101112-886946aabeb8
-
 // https://github.com/rubenv/sql-migrate/pull/189
 // and using branch 'drop-other-drivers' for less dependency pollution (oracaldb and the like)
 replace github.com/rubenv/sql-migrate => github.com/cryptix/go-sql-migrate v0.0.0-20210521142015-a3e4d9974764
--- a/go.sum
+++ b/go.sum
--- a/web/handlers/members_password.go
+++ b/web/handlers/members_password.go
@ -46,10 +46,13 @@ func newMembersHandler(devMode bool, r *render.Renderer, urlTo web.URLMaker, fh
 		}
 	} else {
 		// Init the have-i-been-pwned client for insecure password checks.
-		const storeExpiry = 1 * time.Hour
-		hibpClient := hibp.NewClient(storeExpiry)
+		httpClient := http.DefaultClient
+		httpClient.Timeout = 1 * time.Hour

-		mh.leakedLookup = hibpClient.Pwned.Compromised
+		hibpClient := hibp.NewClient()
+		hibpClient.SetHTTPClient(httpClient)
+
+		mh.leakedLookup = hibpClient.Compromised
 	}

 	return mh