From 257ff092c2a4496e6f5f4d64ed24e3e24244570e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 May 2026 19:49:16 +0000 Subject: [PATCH] Bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 Bumps [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/Masterminds/semver/releases) - [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md) - [Commits](https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0) --- updated-dependencies: - dependency-name: github.com/Masterminds/semver/v3 dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../Masterminds/semver/v3/.gitignore | 3 +- .../Masterminds/semver/v3/.golangci.yml | 55 +++++++---- .../Masterminds/semver/v3/constraints.go | 94 ++++++++++++------- .../Masterminds/semver/v3/version.go | 39 +++++++- vendor/modules.txt | 2 +- 7 files changed, 137 insertions(+), 62 deletions(-) diff --git a/go.mod b/go.mod index 13c1ec64f6..3ad1e6ddff 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.8 require ( github.com/ActiveState/vt10x v1.3.1 github.com/AlecAivazis/survey/v2 v2.3.7 - github.com/Masterminds/semver/v3 v3.4.0 + github.com/Masterminds/semver/v3 v3.5.0 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 github.com/blang/semver v3.5.1+incompatible github.com/cpuguy83/go-md2man v1.0.10 diff --git a/go.sum b/go.sum index 5f43203440..ef7403197b 100644 --- a/go.sum +++ b/go.sum @@ -77,8 +77,8 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc= github.com/IBM/sarama v1.45.2 h1:8m8LcMCu3REcwpa7fCP6v2fuPuzVwXDAM2DOv3CBrKw= github.com/IBM/sarama v1.45.2/go.mod h1:ppaoTcVdGv186/z6MEKsMm70A5fwJfRTpstI37kVn3Y= -github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= -github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE= +github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= diff --git a/vendor/github.com/Masterminds/semver/v3/.gitignore b/vendor/github.com/Masterminds/semver/v3/.gitignore index 6b061e6174..35f0e5a3a4 100644 --- a/vendor/github.com/Masterminds/semver/v3/.gitignore +++ b/vendor/github.com/Masterminds/semver/v3/.gitignore @@ -1 +1,2 @@ -_fuzz/ \ No newline at end of file +_fuzz/ +.devcontainer/ \ No newline at end of file diff --git a/vendor/github.com/Masterminds/semver/v3/.golangci.yml b/vendor/github.com/Masterminds/semver/v3/.golangci.yml index fbc6332592..24277f3aca 100644 --- a/vendor/github.com/Masterminds/semver/v3/.golangci.yml +++ b/vendor/github.com/Masterminds/semver/v3/.golangci.yml @@ -1,27 +1,42 @@ -run: - deadline: 2m - +version: "2" linters: - disable-all: true + default: none enable: - - misspell - - govet - - staticcheck + - dupl - errcheck - - unparam + - gocyclo + - gosec + - govet - ineffassign + - misspell - nakedret - - gocyclo - - dupl - - goimports - revive - - gosec - - gosimple - - typecheck + - staticcheck + - unparam - unused - -linters-settings: - gofmt: - simplify: true - dupl: - threshold: 600 + settings: + dupl: + threshold: 600 + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - goimports + settings: + gofmt: + simplify: true + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/vendor/github.com/Masterminds/semver/v3/constraints.go b/vendor/github.com/Masterminds/semver/v3/constraints.go index 8b7a10f836..e8353bc469 100644 --- a/vendor/github.com/Masterminds/semver/v3/constraints.go +++ b/vendor/github.com/Masterminds/semver/v3/constraints.go @@ -21,21 +21,43 @@ type Constraints struct { IncludePrerelease bool } +// MaxConstraintLen is the maximum allowed length of a constraint string. +const MaxConstraintLen = 512 + +// MaxConstraintGroups is the maximum number of OR groups allowed in a +// constraint string. +const MaxConstraintGroups = 32 + +// ErrConstraintTooLong is returned when a constraint string exceeds the +// maximum allowed length. +var ErrConstraintTooLong = fmt.Errorf("constraint string is too long (max %d bytes)", MaxConstraintLen) + +// ErrTooManyConstraintGroups is returned when a constraint string contains +// too many OR groups. +var ErrTooManyConstraintGroups = fmt.Errorf("too many constraint groups (max %d)", MaxConstraintGroups) + // NewConstraint returns a Constraints instance that a Version instance can // be checked against. If there is a parse error it will be returned. func NewConstraint(c string) (*Constraints, error) { + if len(c) > MaxConstraintLen { + return nil, ErrConstraintTooLong + } + // Rewrite - ranges into a comparison operation. c = rewriteRange(c) ors := strings.Split(c, "||") + if len(ors) > MaxConstraintGroups { + return nil, ErrTooManyConstraintGroups + } lenors := len(ors) or := make([][]*constraint, lenors) hasPre := make([]bool, lenors) for k, v := range ors { // Validate the segment if !validConstraintRegex.MatchString(v) { - return nil, fmt.Errorf("improper constraint: %s", v) + return nil, fmt.Errorf("improper constraint: %q", v) } cs := findConstraintRegex.FindAllString(v, -1) @@ -104,9 +126,9 @@ func (cs Constraints) Validate(v *Version) (bool, []error) { for _, c := range o { // Before running the check handle the case there the version is // a prerelease and the check is not searching for prereleases. - if !(cs.IncludePrerelease || cs.containsPre[i]) && v.pre != "" { + if !cs.IncludePrerelease && !cs.containsPre[i] && v.pre != "" { if !prerelesase { - em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + em := fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) e = append(e, em) prerelesase = true } @@ -258,7 +280,7 @@ func parseConstraint(c string) (*constraint, error) { if len(c) > 0 { m := constraintRegex.FindStringSubmatch(c) if m == nil { - return nil, fmt.Errorf("improper constraint: %s", c) + return nil, fmt.Errorf("improper constraint: %q", c) } cs := &constraint{ @@ -325,7 +347,7 @@ func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } if c.dirty { @@ -335,7 +357,7 @@ func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error if c.con.Minor() != v.Minor() && !c.minorDirty { return true, nil } else if c.minorDirty { - return false, fmt.Errorf("%s is equal to %s", v, c.orig) + return false, fmt.Errorf("%q is equal to %q", v, c.orig) } else if c.con.Patch() != v.Patch() && !c.patchDirty { return true, nil } else if c.patchDirty { @@ -345,15 +367,15 @@ func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error if eq { return true, nil } - return false, fmt.Errorf("%s is equal to %s", v, c.orig) + return false, fmt.Errorf("%q is equal to %q", v, c.orig) } - return false, fmt.Errorf("%s is equal to %s", v, c.orig) + return false, fmt.Errorf("%q is equal to %q", v, c.orig) } } eq := v.Equal(c.con) if eq { - return false, fmt.Errorf("%s is equal to %s", v, c.orig) + return false, fmt.Errorf("%q is equal to %q", v, c.orig) } return true, nil @@ -364,7 +386,7 @@ func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, er // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } var eq bool @@ -374,17 +396,17 @@ func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, er if eq { return true, nil } - return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is less than or equal to %q", v, c.orig) } if v.Major() > c.con.Major() { return true, nil } else if v.Major() < c.con.Major() { - return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is less than or equal to %q", v, c.orig) } else if c.minorDirty { // This is a range case such as >11. When the version is something like // 11.1.0 is it not > 11. For that we would need 12 or higher - return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is less than or equal to %q", v, c.orig) } else if c.patchDirty { // This is for ranges such as >11.1. A version of 11.1.1 is not greater // which one of 11.2.1 is greater @@ -392,7 +414,7 @@ func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, er if eq { return true, nil } - return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is less than or equal to %q", v, c.orig) } // If we have gotten here we are not comparing pre-preleases and can use the @@ -401,21 +423,21 @@ func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, er if eq { return true, nil } - return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is less than or equal to %q", v, c.orig) } func constraintLessThan(v *Version, c *constraint, includePre bool) (bool, error) { // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } eq := v.Compare(c.con) < 0 if eq { return true, nil } - return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig) + return false, fmt.Errorf("%q is greater than or equal to %q", v, c.orig) } func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (bool, error) { @@ -423,21 +445,21 @@ func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (boo // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } eq := v.Compare(c.con) >= 0 if eq { return true, nil } - return false, fmt.Errorf("%s is less than %s", v, c.orig) + return false, fmt.Errorf("%q is less than %q", v, c.orig) } func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, error) { // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } var eq bool @@ -447,13 +469,13 @@ func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, if eq { return true, nil } - return false, fmt.Errorf("%s is greater than %s", v, c.orig) + return false, fmt.Errorf("%q is greater than %q", v, c.orig) } if v.Major() > c.con.Major() { - return false, fmt.Errorf("%s is greater than %s", v, c.orig) + return false, fmt.Errorf("%q is greater than %q", v, c.orig) } else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty { - return false, fmt.Errorf("%s is greater than %s", v, c.orig) + return false, fmt.Errorf("%q is greater than %q", v, c.orig) } return true, nil @@ -469,11 +491,11 @@ func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) { // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } if v.LessThan(c.con) { - return false, fmt.Errorf("%s is less than %s", v, c.orig) + return false, fmt.Errorf("%q is less than %q", v, c.orig) } // ~0.0.0 is a special case where all constraints are accepted. It's @@ -484,11 +506,11 @@ func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) { } if v.Major() != c.con.Major() { - return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + return false, fmt.Errorf("%q does not have same major version as %q", v, c.orig) } if v.Minor() != c.con.Minor() && !c.minorDirty { - return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig) + return false, fmt.Errorf("%q does not have same major and minor version as %q", v, c.orig) } return true, nil @@ -500,7 +522,7 @@ func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, e // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } if c.dirty { @@ -512,7 +534,7 @@ func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, e return true, nil } - return false, fmt.Errorf("%s is not equal to %s", v, c.orig) + return false, fmt.Errorf("%q is not equal to %q", v, c.orig) } // ^* --> (any) @@ -528,12 +550,12 @@ func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) { // The existence of prereleases is checked at the group level and passed in. // Exit early if the version has a prerelease but those are to be ignored. if v.Prerelease() != "" && !includePre { - return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + return false, fmt.Errorf("%q is a prerelease version and the constraint is only looking for release versions", v) } // This less than handles prereleases if v.LessThan(c.con) { - return false, fmt.Errorf("%s is less than %s", v, c.orig) + return false, fmt.Errorf("%q is less than %q", v, c.orig) } var eq bool @@ -548,12 +570,12 @@ func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) { if eq { return true, nil } - return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + return false, fmt.Errorf("%q does not have same major version as %q", v, c.orig) } // ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1 if c.con.Major() == 0 && v.Major() > 0 { - return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + return false, fmt.Errorf("%q does not have same major version as %q", v, c.orig) } // If the con Minor is > 0 it is not dirty if c.con.Minor() > 0 || c.patchDirty { @@ -561,11 +583,11 @@ func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) { if eq { return true, nil } - return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig) + return false, fmt.Errorf("%q does not have same minor version as %q. Expected minor versions to match when constraint major version is 0", v, c.orig) } // ^ when the minor is 0 and minor > 0 is =0.0.z if c.con.Minor() == 0 && v.Minor() > 0 { - return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig) + return false, fmt.Errorf("%q does not have same minor version as %q", v, c.orig) } // At this point the major is 0 and the minor is 0 and not dirty. The patch @@ -574,7 +596,7 @@ func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) { if eq { return true, nil } - return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig) + return false, fmt.Errorf("%q does not equal %q. Expect version and constraint to equal when major and minor versions are 0", v, c.orig) } func isX(x string) bool { diff --git a/vendor/github.com/Masterminds/semver/v3/version.go b/vendor/github.com/Masterminds/semver/v3/version.go index 7a3ba73887..da428760ce 100644 --- a/vendor/github.com/Masterminds/semver/v3/version.go +++ b/vendor/github.com/Masterminds/semver/v3/version.go @@ -6,6 +6,7 @@ import ( "encoding/json" "errors" "fmt" + "math" "regexp" "strconv" "strings" @@ -48,8 +49,16 @@ var ( // ErrInvalidPrerelease is returned when the pre-release is an invalid format ErrInvalidPrerelease = errors.New("invalid prerelease string") + + // ErrVersionTooLong is returned when a version string exceeds the + // maximum allowed length. + ErrVersionTooLong = fmt.Errorf("version string is too long (max %d bytes)", MaxVersionLen) ) +// MaxVersionLen is the maximum allowed length of a version string. This guards +// against unbounded input causing excessive memory allocations during parsing. +const MaxVersionLen = 256 + // semVerRegex is the regular expression used to parse a semantic version. // This is not the official regex from the semver spec. It has been modified to allow for loose handling // where versions like 2.1 are detected. @@ -94,6 +103,10 @@ func StrictNewVersion(v string) (*Version, error) { return nil, ErrEmptyString } + if len(v) > MaxVersionLen { + return nil, ErrVersionTooLong + } + // Split the parts into [0]major, [1]minor, and [2]patch,prerelease,build parts := strings.SplitN(v, ".", 3) if len(parts) != 3 { @@ -161,6 +174,9 @@ func StrictNewVersion(v string) (*Version, error) { // attempts to convert it to SemVer. If you want to validate it was a strict // semantic version at parse time see StrictNewVersion(). func NewVersion(v string) (*Version, error) { + if len(v) > MaxVersionLen { + return nil, ErrVersionTooLong + } if CoerceNewVersion { return coerceNewVersion(v) } @@ -289,6 +305,8 @@ func coerceNewVersion(v string) (*Version, error) { // New creates a new instance of Version with each of the parts passed in as // arguments instead of parsing a version string. +// Note, New does not validate prerelease or metadata. Incorrect information can +// be passed in. func New(major, minor, patch uint64, pre, metadata string) *Version { v := Version{ major: major, @@ -301,6 +319,7 @@ func New(major, minor, patch uint64, pre, metadata string) *Version { v.original = v.String() + // TODO: In the next semver major version validate the pre and metadata. Return error if there is one. return &v } @@ -388,6 +407,9 @@ func (v Version) IncPatch() Version { } else { vNext.metadata = "" vNext.pre = "" + if v.patch == math.MaxUint64 { + panic("patch version increment would overflow uint64") + } vNext.patch = v.patch + 1 } vNext.original = v.originalVPrefix() + "" + vNext.String() @@ -404,6 +426,9 @@ func (v Version) IncMinor() Version { vNext.metadata = "" vNext.pre = "" vNext.patch = 0 + if v.minor == math.MaxUint64 { + panic("minor version increment would overflow uint64") + } vNext.minor = v.minor + 1 vNext.original = v.originalVPrefix() + "" + vNext.String() return vNext @@ -421,6 +446,9 @@ func (v Version) IncMajor() Version { vNext.pre = "" vNext.patch = 0 vNext.minor = 0 + if v.major == math.MaxUint64 { + panic("major version increment would overflow uint64") + } vNext.major = v.major + 1 vNext.original = v.originalVPrefix() + "" + vNext.String() return vNext @@ -568,7 +596,16 @@ func (v Version) MarshalText() ([]byte, error) { // Scan implements the SQL.Scanner interface. func (v *Version) Scan(value interface{}) error { var s string - s, _ = value.(string) + switch t := value.(type) { + case string: + s = t + case []byte: + s = string(t) + case nil: + return fmt.Errorf("cannot scan nil into Version") + default: + return fmt.Errorf("unsupported Scan type %T", value) + } temp, err := NewVersion(s) if err != nil { return err diff --git a/vendor/modules.txt b/vendor/modules.txt index 0c50d1371b..c65014f037 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -147,7 +147,7 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp # github.com/IBM/sarama v1.45.2 ## explicit; go 1.23.0 github.com/IBM/sarama -# github.com/Masterminds/semver/v3 v3.4.0 +# github.com/Masterminds/semver/v3 v3.5.0 ## explicit; go 1.21 github.com/Masterminds/semver/v3 # github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2