audit: update 5 high-impact package dependencies#12149
audit: update 5 high-impact package dependencies#12149timothytlewis wants to merge 2 commits intomainfrom
Conversation
|
|
||
| dependencies: | ||
| zlib.net: =1.3.1 # match tcl version exactly | ||
| zlib.net: =1.3.2 # match tcl; tcl uses ^1.3 so 1.3.2 is compatible |
There was a problem hiding this comment.
this won't work, unless we rebuild tcl. it has to match the version built against. if we want to rebuild tcl8.6 against zlib 1.3.2, then this could work (if not other cascade fails).
|
|
||
| | Package | Domain | Version Source | Latest Upstream | Version Blocks | Status | | ||
| |---------|--------|---------------|-----------------|----------------|--------| | ||
| | OpenSSL | `openssl.org` | `github: openssl/openssl` | 3.6.1 | None (both 1.x and 3.x available) | ✅ CURRENT | |
There was a problem hiding this comment.
this is a massive problem with linked programs. to solve it, we'd need to modify pkgx to allow multiple versions of openssl in a project, as we do with unicode. or make openssl3 its own package so they don't conflict.
| | Package | Domain | Version Source | Latest Upstream | Version Blocks | Status | | ||
| |---------|--------|---------------|-----------------|----------------|--------| | ||
| | Git | `git-scm.org` | `github: git/git/tags` | 2.53.0 | None | ✅ CURRENT | | ||
| | curl | `curl.se` | `github: curl/curl/releases` | 8.18.0 | **BLOCKED**: ignores 8.18+, 8.2x, 9.x | ❌ BLOCKED | |
There was a problem hiding this comment.
this is because of ssl version issues. the package was forked, and curl.se/ssl3 provides versions later than 8.18, which require openssl3, so they don't contaminate everything else.
|
i extracted the four quick ones to #12190; once those are in, it'll only be the python bit that needs attention. |
Audit of ~40 high-impact infrastructure packages across 7 categories. Key findings: 3 packages explicitly version-blocked, 5 with stale dependency pins, and a systemic OpenSSL 1.1→3 migration need. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
zlib 1.3.2 is the current stable release. The tcl-lang.org package uses ^1.3, so 1.3.2 is fully compatible. Update exact pin accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jhheider
force-pushed
the
audit/version-updates-2026-03-06
branch
from
c2e8bd3 to
93e9006
Compare
2 participants
Summary
Version audit of ~40 high-impact infrastructure packages as of 2026-03-06. Identified version blocks, stale dependency pins, and systemic issues. This PR updates the top 5 most actionable packages.
Changes
stedolan/jqto activejqlang/jq(version source + distributable URL)~1.24.1to~1.25.7(matches go.mod)~1.24.4to~1.25.0(matches go.mod)=1.3.1to=1.3.2(tcl uses^1.3, compatible)<3.12to<3.15(allows building with current Python)Audit Report
Full audit report included at
docs/audit/2026-03-06-version-audit-report.mdcovering:Notable Findings (not addressed in this PR)
openssl.org: ^1.1dependency prevents curl 8.18+ (which requires OpenSSL 3)openssl.org: 1.1— Node 22+ LTS needs OpenSSL 3Test plan
jqlang/jqreleases🤖 Generated with Claude Code