Skip to content

Bump dependencies #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2025
Merged

Bump dependencies #206

merged 1 commit into from
Aug 13, 2025

Conversation

@marquiz
Copy link
Contributor

@marquiz marquiz commented Aug 13, 2025

Update outdated deps.

@marquiz
Copy link
Contributor Author

marquiz commented Aug 13, 2025

@klihub @chrishenzie @mikebrow

@klihub
Copy link
Member

klihub commented Aug 13, 2025
edited
Loading

@marquiz Unfortunately we can't do this across the board just like that. We are a 'library package' and a direct dependency of cri-o and containerd. If we bump any of our dependency beyond what they have now in main/HEAD, we implictly force them to bump their dependencies, too. And if we want to keep the possibility of updating NRI in still active maintenance branches, then the limitation might be more severe. And many of the deps here try to bump deps beyond what is currently in either of those runtimes main/HEAD.

So IMO, at least the lower of the current corresponding deps in cri-o and containerd main/HEAD should be considered to upper bound where we can bump to. If we think we should update some maintenance branches to our next release, then the lowest of the current corresponding deps within those becomes the upper limit.

@marquiz
Bump dependencies
ced3ebe 
Update outdated deps.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
@marquiz
Copy link
Contributor Author

marquiz commented Aug 13, 2025

Good point. I changed the main module to bump to the lowest non-CVE-versions. I think plugins can be updated without this limitation...

@klihub
Copy link
Member

klihub commented Aug 13, 2025

Good point. I changed the main module to bump to the lowest non-CVE-versions. I think plugins can be updated without this limitation...

Yes, definitely. It only applies to core NRI. Plugins can be freely updated to the latest versions.

klihub
klihub approved these changes Aug 13, 2025
View reviewed changes
Copy link
Member

@klihub klihub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@klihub klihub requested review from chrishenzie and mikebrow August 13, 2025 09:58
mikebrow
mikebrow approved these changes Aug 13, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mikebrow mikebrow merged commit ef2d8cb into containerd:main Aug 13, 2025
16 checks passed
@marquiz marquiz deleted the devel/deps branch August 13, 2025 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klihub klihub klihub approved these changes

@chrishenzie chrishenzie chrishenzie approved these changes

@mikebrow mikebrow mikebrow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marquiz @klihub @chrishenzie @mikebrow