* chore: Run `go get golang.org/x/crypto@v0.44.0`
* chore: Run `make syncdeps`
* chore: Run `make generate`
* chore: Update staticcheck.conf to ignore SA4003
This includes a fix in the handling of conflicting constraints referring
to prereleases, like "1.0.0-beta.1, !1.0.0-beta.1".
Previously the library would incorrectly treat that as a positive match,
rather than having the negative override the positive as happens in all
other cases.
We were importing this to resolve an init-time conflict with this library
when it was indirectly loaded by the etcd libraries.
We removed the etcd backends a while back and so we no longer use any of
the etcd modules in Terraform, and so this tricky import was our only
remaining reference to github.com/coreos/pkg/capnslog.
Dropping this eliminates two unnecessary dependencies.
This extends the "CmpOptions" to include a comparer for cty.Path values,
so that we don't have to hand-write that in each case where we're
comparing data structures containing those.
Many of the changes between these two versions seem to be in parts of the
library that Terraform doesn't use, but there are a few sensitive parts:
- Slight changes to details of how the library implements the JSON
encoding of protobuf. Terraform CLI/Core don't use this, but some
of the backends might use it indirectly when talking to their
underlying APIs.
- Some details of the "protoreflect" package for working with
protobuf descriptors dynamically (rather than using generated stubs)
have changed, but it seems pretty marginal and unlikely to cause
problems.
We've been gradually chipping away at how much we use go-getter for source
packages, because it's generally been a bit of a nightmare and sharing it
with other codebases means that any time someone wants to change something
we end up needing to find some way to prevent it breaking Terraform's
compatibility promises.
Here we make one further step: Terraform owns the "detectors" idea that
deals with source address normalization, and now always produces
fully-qualified addresses for go-getter to chew on only for the getting
and decompressing steps.
Retaining go-getter for the actual getting part is helpful because we can
then benefit from security fixes upstream, but Terraform owning the first
layer of parsing means that we can fix in place the definition of what
"module source address" syntax means, and thus we can avoid having
everything in this codebase indirectly depend on go-getter just because it
wants to parse module source addresses.
Now only the module installer actually depends indirectly on go-getter,
which finally disconnects go-getter's subtree from all of the remote state
backend dependency graphs.
At one point we were relying on this for a few different things, but now
it's here exclusively to support legacy/helper/schema, the legacy SDK
snapshot that is still being used by a few of the remote state backends.
The SDK only really needs a tiny portion of the functionality from this
package, and by deleting as much of the unused stuff as possible we can
reduce the indirect dependencies of this package and thus, in turn, the
indirect dependencies of the remote state backends.
This also selectively deletes a few parts of the legacy SDK that are
focused on providers and provisioners, because we know that we have this
here only to support the backends that haven't yet been weaned off it,
but we'll save a more adventurous purge of _that_ package for another day.
Aside from development tool dependencies we use this only for the directory
hashing logic used to compute go module hashes, which we also use for
Terraform provider hashes.
There are no changes to the dirhash package in this update, so this should
have no runtime impact.
This update is largely focused on QUIC implementation changes, which do not
directly affect Terraform.
There is one fix for the HTTP2 implementation to terminate the stream if
a sender recieves an out-of-bounds window update, which makes the
implementation better match the specification. This seems unlikely to
cause any practical problems for Terraform.
This update is mostly internal changes that don't affect external behavior.
The only update potentially significant to Terraform is the new exclusion
of a particular root certificate that is used only for some specific names
under the .tr CCTLD, but the certificate database doesn't specify that
constraint in a way that the library can understand, so it's excluded to
avoid making the trust for that certificate broader than intended.
