Skip to content

build(deps): update Core 2 dependencies #6574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 4, 2025
Merged

build(deps): update Core 2 dependencies #6574

merged 8 commits into from
Jul 4, 2025

Conversation

lc525
Copy link
Member

@lc525 lc525 commented Jul 3, 2025
edited
Loading

Why

Target fixing of CVEs in preparation for the 2.9.1 release

What

Summary of changes

  • Update golang to 1.24.4
  • Update golang dependencies across codebase
  • Update kubebuilder and operator dependencies
  • Update ubi-micro to 9.6
  • Update dataflow dependencies
  • Update MLServer to 1.7.1
  • Generate Docker images with SBOM metadata

Tests

Tested that all updated packages work as expected by running smoke-test in kind (involving models and pipelines).

lc525 added 6 commits July 4, 2025 00:54
@lc525
build(deps): Update golang to 1.24.4, together with dependencies
7ac439c 
In order to significantly reduce the number of CVEs in Core 2 images, we:
  - update to golang 1.24.4
  - update all the package dependencies to their latest versions (this has
  required minor code fixes)
  - update the base Dockerfile builder images to ones using golang 1.24
  - update github workflows to use golang 1.24
  - during updates, the following changes have been manually made:
    * update `github.com/imdario/mergo` (deprecated) -> `dario.cat/mergo`
    * update `github.com/golang/protobuf` (deprecated) ->
    `google.golang.org/protobuf`
    * `google.golang.org/grpc/status` now requires messages (for example in
    `status.Errorf`) to have a printf format (like "%s") rather than pointing
    directly to a string.
@lc525
feat(build): CI to create docker images with sbom metadata
d7ba5f3 
Adds makefile targets for production docker image builds that contain an
automatically generated software bill of materials (SBOM)

Update the Docker build images CI action to push images with SBOM metadata
to dockerhub
@lc525
build(deps): Update kubebuilder and operator support packages
5bcab66
@lc525
build(deps): Update MLServer to 1.7.1
98dfdf6
@lc525
build(deps): Update ubi-micro to 9.6
a4f31ab
@lc525
build(deps): Update dataflow-engine dependencies
9b95393
@lc525 lc525 added the v2 label Jul 3, 2025
@lc525 lc525 force-pushed the quickfix/package-updates branch from fefbc3a to fae1ed8 Compare July 4, 2025 00:12
@lc525 lc525 force-pushed the quickfix/package-updates branch from 37ce948 to fc9719f Compare July 4, 2025 00:27
@lc525 lc525 merged commit 3876c82 into SeldonIO:v2 Jul 4, 2025
3 checks passed
@lc525 lc525 self-assigned this Jul 4, 2025
jtayl222 pushed a commit to jtayl222/seldon-core that referenced this pull request Jul 20, 2025
@lc525
build(deps): update Core 2 dependencies (SeldonIO#6574)
56f856a 
# Why

Target fixing of CVEs in preparation for the 2.9.1 release

## Summary of changes

- Update golang to 1.24.4
- Update golang dependencies across codebase
- Update kubebuilder and operator dependencies
- Update ubi-micro to 9.6
- Update dataflow dependencies
- Update MLServer to 1.7.1
- Generate Docker images with SBOM metadata

## Changeset details

* build(deps): Update golang to 1.24.4, together with dependencies

In order to significantly reduce the number of CVEs in Core 2 images, we:

  - update to golang 1.24.4
  - update all the package dependencies to their latest versions (this has
  required minor code fixes)
  - update the base Dockerfile builder images to ones using golang 1.24
  - update github workflows to use golang 1.24
  - during updates, the following changes have been manually made:
    * update `github.com/imdario/mergo` (deprecated) -> `dario.cat/mergo`
    * update `github.com/golang/protobuf` (deprecated) ->
    `google.golang.org/protobuf`
    * `google.golang.org/grpc/status` now requires messages (for example in
    `status.Errorf`) to have a printf format (like "%s") rather than pointing
    directly to a string.

* feat(build): CI to create docker images with sbom metadata

Adds makefile targets for production docker image builds that contain an
automatically generated software bill of materials (SBOM)

Update the Docker build images CI action to push images with SBOM metadata
to dockerhub

* build(deps): Update kubebuilder and operator support packages

* build(deps): Update MLServer to 1.7.1

* build(deps): Update ubi-micro to 9.6

* build(deps): Update dataflow-engine dependencies

* build(ci): update CI linter version to support golang 1.24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@lc525 lc525

Labels
v2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lc525