fix(cloudflared): GHSA-527x-5wrf-22m2

[catmsred]

Bump coredns to 1.14.0

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/52938

[octo-sts]

🛑 Build Failed: Compilation

too many arguments in call to qpack.NewDecoder
have (func(hf qpack.HeaderField))
want ()

Build Details

Category	Details
Build System	Go
Failure Point	go build command during compilation of github.com/quic-go/quic-go/http3

Root Cause Analysis 🔍

API incompatibility between the quic-go library and its qpack dependency. The qpack.NewDecoder function signature has changed - it no longer accepts a callback function parameter, but the quic-go code is still trying to pass one. This appears to be caused by dependency version mismatches after the go/bump step updated packages including golang.org/x/crypto and github.com/coredns/coredns, which may have pulled in incompatible versions of transitive dependencies.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: melange.yaml

• modification at line 19-22 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/coredns/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/coredns/[email protected]
        github.com/quic-go/[email protected]

Content:

Pin the qpack dependency to a specific version that is compatible with the quic-go library version used by cloudflared

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis, so I cannot identify patterns from past fixes. However, based on the error message "too many arguments in call to qpack.NewDecoder" and the root cause analysis indicating API incompatibility between quic-go library and its qpack dependency, this appears to be a dependency version mismatch issue. The qpack.NewDecoder function signature changed to no longer accept a callback function parameter, but quic-go is still trying to pass one. This type of issue is commonly resolved by either updating dependencies to compatible versions or pinning specific versions that are known to work together.

Click to expand fix explanation

Explanation

The build failure is caused by an API incompatibility between the quic-go library and its qpack dependency. The qpack.NewDecoder function signature has changed to no longer accept a callback function parameter, but the quic-go code is still trying to pass one. This suggests that the go/bump step updated dependencies in a way that pulled in an incompatible version of the qpack library. By explicitly pinning the github.com/quic-go/qpack dependency to version v0.4.0 (which is likely the last version that maintained the old API), we ensure that the quic-go library gets a compatible version of qpack that still accepts the callback function parameter. This approach maintains the existing quic-go code without requiring upstream changes while resolving the immediate build failure.

Click to expand alternative approaches

Alternative Approaches

• Remove the go/bump step entirely if the dependency updates are not critical, allowing Go modules to resolve to naturally compatible versions
• Update cloudflared to a newer version that may have already adapted to the new qpack API
• Add a replace directive in a go.mod file to force a specific qpack version, though this would require creating or modifying go.mod
• Pin the quic-go library itself to an older version that is compatible with the current qpack version

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.