prime-simplereport icon indicating copy to clipboard operation
prime-simplereport copied to clipboard
verified publisher icon CDCgov

Bump com.squareup.okio:okio from 3.4.0 to 3.9.0 in /backend

Open dependabot[bot] opened this issue 1 year ago • 5 comments

Bumps com.squareup.okio:okio from 3.4.0 to 3.9.0.

Changelog

Sourced from com.squareup.okio:okio's changelog.

Version 3.9.0

2024-03-12

  • New: FileSystem.SYSTEM can be used in source sets that target both Kotlin/Native and Kotlin/JVM. Previously, we had this symbol in each source set but it wasn't available to common source sets.
  • New: COpaquePointer.readByteString(...) creates a ByteString from a memory address.
  • New: Support InflaterSource, DeflaterSink, GzipSink, and GzipSource in Kotlin/Native.
  • New: Support openZip() on Kotlin/Native. One known bug in this implementation is that FileMetadata.lastModifiedAtMillis() is interpreted as UTC and not the host machine's time zone.
  • New: Prefer NTFS timestamps in ZIP file systems' metadata. This avoids the time zone problems of ZIP's built-in DOS timestamps, and the 2038 time bombs of ZIP's extended timestamps.
  • Fix: Don't leak file handles to opened JAR files open in FileSystem.RESOURCES.
  • Fix: Don't throw a NullPointerException if Closeable.use { ... } returns null.

Version 3.8.0

2024-02-09

  • New: TypedOptions works like Options, but it returns a T rather than an index.
  • Fix: Don't leave sinks open when there's a race in Pipe.fold().

Version 3.7.0

2023-12-16

  • New: Timeout.cancel() prevents a timeout from firing.
  • Breaking: Drop the watchosX86 Kotlin/Native target. From [the Kotlin blog][watchosX86], ‘This is an obsolete simulator for Intel Macs. Use the watchosX64 target instead.’
  • New: Add the watchosDeviceArm64 Kotlin/Native target.
  • New: Timeout APIs that accept kotlin.time.Duration.
  • Upgrade: [Kotlin 1.9.21][kotlin_1_9_21].

Version 3.6.0

2023-10-01

  • Fix: Don't leak file handles when using metadata functions on ZipFileSystem. We had a bug where we were closing the .zip file, but not a stream inside of it. We would have prevented this bug if only we’d used FakeFileSystem.checkNoOpenFiles() in our tests!
  • Fix: Don't build an index of a class loader's resources in ResourceFileSystem.read(). This operation doesn't need this index, and building it is potentially expensive.
  • New: Experimentally support Linux on ARM64 for Kotlin/Native targets (linuxArm64). Note that we haven't yet added CI test coverage for this platform.
  • Upgrade: [Kotlin 1.9.10][kotlin_1_9_10].

... (truncated)

Commits
  • d6c38c2 Prepare for release 3.9.0.
  • eac869b Create FileSystem.SYSTEM property in shared source set (#1455)
  • fe6ac99 Fix Closeable.use NullPointerException (#1453)
  • 940496a Get ZipFileSystem to prefer NTFS timestamps when present (#1449)
  • 2c0d99e Merge pull request #1451 from square/renovate/org.jetbrains.dokka-dokka-gradl...
  • 6c96879 Update dependency org.jetbrains.dokka:dokka-gradle-plugin to v1.9.20
  • 0b889e3 Update actions/setup-java action to v4.1.0 (#1446)
  • eb0b918 Tag the language in code samples (#1445)
  • 20b83aa Get openZip working on KotlinNative (#1439)
  • 3bcb813 Handle DOS dates in Kotlin/Multiplatform (#1438)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar May 05 '24 15:05 dependabot[bot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar May 10 '24 18:05 dependabot[bot]

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

sonarqubecloud[bot] avatar May 10 '24 18:05 sonarqubecloud[bot]

Smoke tested on dev4 and things look good, but @alismx and @shanice-skylight wanted to double check that the comment about devops reviewing the package pins here for security reasons isn't a blocker here.

fzhao99 avatar May 10 '24 21:05 fzhao99

@mpbrown @fzhao99 Since the question is around a security pin, I checked the Synk scan for details on the pinned version being updated. It seems that changing it doesn't introduce any issues. I'd say we could probably remove the pin.

@shanice-skylight What do you think?

alismx avatar May 16 '24 19:05 alismx

I agree we can remove the pin

shanice-skylight avatar May 16 '24 19:05 shanice-skylight

@fzhao99 @shanice-skylight @emyl3 Looks like removing the pick pushes this version back down to 3.0 which is a problematic version.

Our options are:

  • merge this update
  • close it out for now

I'm fine with either but we can't remove the pin.

alismx avatar May 30 '24 19:05 alismx

@fzhao99 @shanice-skylight @emyl3 Looks like removing the pick pushes this version back down to 3.0 which is a problematic version.

Our options are:

  • merge this update
  • close it out for now

I'm fine with either but we can't remove the pin.

Will just merge this in then! Thanks for looking into it Alis :)

fzhao99 avatar May 31 '24 16:05 fzhao99