Skip to content

multi: update mapstructure/v2 #10310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

multi: update mapstructure/v2 #10310

merged 1 commit into from
Nov 14, 2025
+12 −12

Conversation

@starius
Copy link
Collaborator

@starius starius commented Oct 21, 2025

Change Description

go-viper's mapstructure is being updated to the version where the bug is fixed.

Steps to Test

make unit

Pull Request Checklist

Testing

  • Your PR passes all CI checks.
  • Tests covering the positive and negative (error paths) are included.
  • Bug fixes contain tests triggering the bug to prevent regressions.

Code Style and Documentation

📝 Please see our Contribution Guidelines for further guidance.

@starius
multi: update mapstructure/v2
6ee8e2a 
go-viper's mapstructure may leak sensitive information in logs when processing
malformed data. Updating to the version where the bug is fixed.
@starius starius marked this pull request as ready for review October 21, 2025 20:10
@saubyk saubyk requested a review from ziggie1984 November 13, 2025 15:28
@ziggie1984
Copy link
Collaborator

ziggie1984 commented Nov 14, 2025

related to https://github.com/lightningnetwork/lnd/security/dependabot/165

@ziggie1984
Copy link
Collaborator

ziggie1984 commented Nov 14, 2025

@gemini-code-assist updating the libaries is one step, but for LND to use the updated libs we need to use the updated modules there as well, otherwise we are not using the updated lib in LND

@gemini-code-assist
Copy link

gemini-code-assist bot commented Nov 14, 2025

That's a very good point, @ziggie1984. You're right that simply updating the go.mod entries is only the first step.

This pull request updates the mapstructure/v2 dependency to v2.4.0 across all go.mod files within the repository (root, kvdb, sqldb, and tools). When go mod tidy and subsequent go build commands are executed, the Go module system should correctly resolve to use v2.4.0 for any module that directly or transitively depends on mapstructure/v2.

The intention is that by updating all go.mod files, the entire LND project will indeed use the updated library. The make unit command, as specified in the PR description, should help verify that the updated libraries are correctly integrated and that no unexpected issues arise from this version bump.

ziggie1984
ziggie1984 approved these changes Nov 14, 2025
View reviewed changes
Copy link
Collaborator

@ziggie1984 ziggie1984 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, LND will use the newest version of the map lib because of the Minimal Version Selection principal of the go tool management

@yyforyongyu yyforyongyu merged commit 841a291 into lightningnetwork:master Nov 14, 2025
36 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellemouton ellemouton ellemouton approved these changes

@ziggie1984 ziggie1984 ziggie1984 approved these changes

Assignees

@starius starius

Labels

no-changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@starius @ziggie1984 @ellemouton @yyforyongyu