... to include a fix for
https://github.com/advisories/GHSA-c2h3-6mxw-7mvq .
(Note that Skopeo doesn't depend on the vulnerable code,
so this is primarily to avoid dependency checker warnings.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We currently need it to drag in recent versions of other dependencies,
per https://github.com/containers/skopeo/issues/796 .
I'll work to update the relevant dependencies in c/image, but that will
only propagate to skopeo in the next c/image release; in the meantime,
this at least undoes the downgrades.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Most of the dependencies have been copied from libpod's vendor.conf
where such a cleanup has been executed recently.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Temporarily vendor opencontainers/image-spec from a fork
to fix "id" value duplication, which is detected and
refused by gojsonschema now
( https://github.com/opencontainers/image-spec/pull/750 ).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Required to update those dependencies in containers/image.
See https://github.com/containers/image/pull/446.
Updated by mitr@redhat.com to vendor from containers/image master again,
which brought in a few more dependency updates.
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Anyone running (vndr) currently ends up with failing tests in OCI schema
validation because gojsonschema has fixed its "$ref" interpretation, exposing
inconsistent URI usage inside image-spec/schema.
So, this runs (vndr), and uses mtrmac/image-spec:id-based-loader
( https://github.com/opencontainers/image-spec/pull/739 ) to make the tests pass
again. As soon as that PR is merged we should revert to using the upstream
image-spec repo again.
PR #440 reverted the vendor.conf edits of #426. This passed CI
because the corresponding vendor/* subpackages were not modified.
Restore the vendor.conf changes, and re-run full (vndr) to ensure
the two are consistent again.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
containers/storage got new dependencies, so we will need to re-vendor
eventually anyway, and having this separate from other major work is
cleaner.
But the primary goal of this commit is to see whether it makes skopeo
buildable on OS X.
Primarily vendor after merging mtrmac/image:openpgp.
Then update for the SigningMechanism API change.
Also skip signing tests if the GPG mechanism does not support signing.
Also abort some of the tests early instead of trying to use invalid (or
nil) values.
The current master of image-tools does not build with Go 1.6, so keep
using an older release.
Also requires adding a few more dependencies of our updated
dependencies.
vndr is almost exactly the same as our old good hack/vendor.sh. Except
it's cleaner and it allows to re-vendor just one dependency if needed
(which we do a lot for containers/image).
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Otherwise the "clean" step of hack/vendor.sh would drop most .go files
from vendor/ as unused.
Also commits refreshed versions of a few of the vendored packages.
