Bump dependencies using scripts/bump-deps.sh

[github-actions]

This PR created by create-pull-request must be closed and reopened manually to trigger automated checks.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

License Issues

cmd/go.mod

Package	Version	License	Issue Type
google.golang.org/protobuf	1.35.1	Null	Unknown License
github.com/hanwen/go-fuse/v2	2.6.3	Null	Unknown License

go.mod

Package	Version	License	Issue Type
google.golang.org/protobuf	1.35.1	Null	Unknown License
github.com/hanwen/go-fuse/v2	2.6.3	Null	Unknown License

Allowed Licenses: Apache-2.0, BSD-2-Clause, BSD-2-Clause-FreeBSD, BSD-3-Clause, MIT, ISC, Python-2.0, PostgreSQL, X11, Zlib

Excluded from license check: pkg:golang/github.com/hashicorp/go-retryablehttp, pkg:golang/github.com/hashicorp/errwrap, pkg:golang/github.com/hashicorp/go-cleanhttp, pkg:golang/github.com/hashicorp/go-multierror

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/containerd/containerd/api	1.8.0	🟢 8.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices 🟢 5 badge detected: Passing License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging ⚠️ -1 packaging workflow not detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6
gomod/github.com/containerd/errdefs	1.0.0	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/hanwen/go-fuse/v2	2.6.3	🟢 4.8	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20240401170217-c3f982113cda	🟢 5.3	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/protobuf	1.35.1	Unknown	Unknown
gomod/github.com/containerd/errdefs	1.0.0	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/hanwen/go-fuse/v2	2.6.3	🟢 4.8	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/protobuf	1.35.1	Unknown	Unknown

Scanned Files

• cmd/go.mod
• go.mod

[austinvazquez]

LGTM on CI pass

[austinvazquez]

@dependabot rebase

[sondavidb]

My bad messed up while rebasing 😓 Just doing this in case it fixes the unit tests but I doubt it will be the case.

[sondavidb]

Looks like it's failing

...
ok  	github.com/awslabs/soci-snapshotter/metadata	5.962s	coverage: 29.0% of statements
ok  	github.com/awslabs/soci-snapshotter/service/resolver	1.040s	coverage: 9.6% of statements
/tmp/go-build3922611315/b882/snapshot.test flag redefined: test.root
panic: /tmp/go-build3922611315/b882/snapshot.test flag redefined: test.root

goroutine 1 [running]:
flag.(*FlagSet).Var(0xc0000d8000, {0x73e840, 0xadcc2f}, {0x657841, 0x9}, {0x6638ce, 0x1e})
	/codebuild/output/src3636627187/src/actions-runner/_work/_tool/go/1.22.8/arm64/src/flag/flag.go:1028 +0x418
flag.BoolVar(...)
	/codebuild/output/src3636627187/src/actions-runner/_work/_tool/go/1.22.8/arm64/src/flag/flag.go:755
github.com/containerd/containerd/pkg/testutil.init.0()
	/go/pkg/mod/github.com/containerd/[email protected]/pkg/testutil/helpers.go:36 +0x78
FAIL	github.com/awslabs/soci-snapshotter/snapshot	0.023s
ok  	github.com/awslabs/soci-snapshotter/soci	1.100s	coverage: 13.2% of statements
...

because in snapshot_test.go we import "github.com/containerd/containerd/pkg/testutil", while continuity in mkfs_linux.go imports "github.com/containerd/continuity/testutil", of which they both use the same test.root (containerd, continuity). The continuity code path was added in v0.4.4 which is why we're only seeing this now.

I can't tell if we should just use continuity's testutil, or if this is a proper use case and we should report it upstream. Either way, skipping the upgrade for now.

[austinvazquez]

Some offline discussion with @sondavidb , @Kern--

It looks like upstream containerd handles this with containerd/containerd@588b7a1. We can try to get this into the release branches but also maybe just not depend on containerd testutil package for requires root.

[sondavidb]

Actually the problem stems from here, where we make a call to the containerd testing suite to test our snapshotter's compatibility with overlay's behavior. You can see in the string of dependencies that both containerd/pkg/testutil and continuity/fs/fstest are imported, and as both packages have the test.root flag, this ends up failing.

The only way to avoid this problem then is to not use that function at all, but attempting to copy over that part of the testing suite looks painful and can probably lead to code drift.

I've went ahead and closed #1399 for now, downgraded continuity in this PR, and have put in a PR to backport the change Austin mentioned above.