Update a number of dependencies (incl. CVE fixes) (#4107)

* Update a number of dependencies (incl. CVE fixes)

Includes some dependencies that were upgraded in #4106 as well as a few more dependencies.

Some deps that have been upgraded had CVEs.

Notably, upgrades deprecated dependencies such as:
- `github.com/go-chi/chi` (replaced with `/v5`)
- `github.com/gofrs/uuid` (replaced with `/v5`)
- `github.com/hashicorp/golang-lru` (replaced with `/v2` which uses generics)

* Upgraded a few more deps

* lint

* reverted yaml library to v2

* remove unnecessary mod replace

* Update chromedp

Fixes #3733

go.mod

@@ -1,67 +1,62 @@
 module github.com/stashapp/stash
 
+go 1.19
+
 require (
 	github.com/99designs/gqlgen v0.17.2
+	github.com/WithoutPants/sortorder v0.0.0-20230616003020-921c9ef69552
 	github.com/Yamashou/gqlgenc v0.0.6
 	github.com/anacrolix/dms v1.2.2
 	github.com/antchfx/htmlquery v1.3.0
-	github.com/chromedp/cdproto v0.0.0-20210622022015-fe1827b46b84
-	github.com/chromedp/chromedp v0.7.3
-	github.com/corona10/goimagehash v1.0.3
-	github.com/disintegration/imaging v1.6.0
-	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/golang-jwt/jwt/v4 v4.0.0
-	github.com/golang-migrate/migrate/v4 v4.15.0-beta.1
+	github.com/asticode/go-astisub v0.26.0
+	github.com/chromedp/cdproto v0.0.0-20231007061347-18b01cd81617
+	github.com/chromedp/chromedp v0.9.2
+	github.com/corona10/goimagehash v1.1.0
+	github.com/disintegration/imaging v1.6.2
+	github.com/doug-martin/goqu/v9 v9.18.0
+	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/cors v1.2.1
+	github.com/go-chi/httplog v0.3.1
+	github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4
+	github.com/gofrs/uuid/v5 v5.0.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-migrate/migrate/v4 v4.16.2
 	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/sessions v1.2.0
+	github.com/gorilla/sessions v1.2.1
 	github.com/gorilla/websocket v1.5.0
-	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
-	github.com/jmoiron/sqlx v1.3.1
+	github.com/hashicorp/golang-lru/v2 v2.0.6
+	github.com/jinzhu/copier v0.4.0
+	github.com/jmoiron/sqlx v1.3.5
 	github.com/json-iterator/go v1.1.12
-	github.com/mattn/go-sqlite3 v1.14.7
+	github.com/kermieisinthehouse/gosx-notifier v0.1.1
+	github.com/kermieisinthehouse/systray v1.2.4
+	github.com/lucasb-eyer/go-colorful v1.2.0
+	github.com/mattn/go-sqlite3 v1.14.17
 	github.com/natefinch/pie v0.0.0-20170715172608-9a0d72014007
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/robertkrimen/otto v0.0.0-20200922221731-ef014fd054ac
 	github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/afero v1.8.2 // indirect
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cast v1.5.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.10.1
-	github.com/stretchr/testify v1.7.1
-	github.com/tidwall/gjson v1.9.3
-	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/spf13/viper v1.16.0
+	github.com/stretchr/testify v1.8.4
+	github.com/tidwall/gjson v1.16.0
+	github.com/vearutop/statigz v1.4.0
+	github.com/vektah/dataloaden v0.3.0
+	github.com/vektah/gqlparser/v2 v2.4.2
 	github.com/vektra/mockery/v2 v2.10.0
+	github.com/xWTF/chardet v0.0.0-20230208095535-c780f2ac244e
+	github.com/zencoder/go-dash/v3 v3.0.2
 	golang.org/x/crypto v0.14.0
-	golang.org/x/image v0.5.0
+	golang.org/x/image v0.12.0
 	golang.org/x/net v0.17.0
 	golang.org/x/sys v0.13.0
 	golang.org/x/term v0.13.0
 	golang.org/x/text v0.13.0
-	golang.org/x/tools v0.6.0 // indirect
-	gopkg.in/sourcemap.v1 v1.0.5 // indirect
-	gopkg.in/yaml.v2 v2.4.0
-)
-
-require (
-	github.com/WithoutPants/sortorder v0.0.0-20230616003020-921c9ef69552
-	github.com/asticode/go-astisub v0.20.0
-	github.com/doug-martin/goqu/v9 v9.18.0
-	github.com/go-chi/cors v1.2.1
-	github.com/go-chi/httplog v0.2.1
-	github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4
-	github.com/hashicorp/golang-lru v0.5.4
-	github.com/kermieisinthehouse/gosx-notifier v0.1.1
-	github.com/kermieisinthehouse/systray v1.2.4
-	github.com/lucasb-eyer/go-colorful v1.2.0
-	github.com/spf13/cast v1.4.1
-	github.com/vearutop/statigz v1.1.6
-	github.com/vektah/dataloaden v0.3.0
-	github.com/vektah/gqlparser/v2 v2.4.2
-	github.com/xWTF/chardet v0.0.0-20230208095535-c780f2ac244e
-	github.com/zencoder/go-dash/v3 v3.0.2
 	gopkg.in/guregu/null.v4 v4.0.0
+	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
@@ -70,46 +65,48 @@ require (
 	github.com/asticode/go-astikit v0.20.0 // indirect
 	github.com/asticode/go-astits v1.8.0 // indirect
 	github.com/chromedp/sysutil v1.0.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/go-chi/chi/v5 v5.0.0 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/gobwas/ws v1.1.0-rc.5 // indirect
+	github.com/gobwas/ws v1.3.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matryer/moq v0.2.3 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
-	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rs/zerolog v1.26.1 // indirect
+	github.com/rs/zerolog v1.30.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/spf13/cobra v1.4.0 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/stretchr/objx v0.2.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/urfave/cli/v2 v2.8.1 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/sourcemap.v1 v1.0.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-
-replace git.apache.org/thrift.git => github.com/apache/thrift v0.0.0-20180902110319-2566ecd5d999
-
-go 1.19

internal/api/routes_custom.go

@@ -4,7 +4,8 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/manager/config"
 )
 

internal/api/routes_downloads.go

@@ -4,7 +4,8 @@ import (
 	"context"
 	"net/http"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/manager"
 )
 

internal/api/routes_image.go

@@ -8,7 +8,8 @@ import (
 	"os/exec"
 	"strconv"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/manager"
 	"github.com/stashapp/stash/internal/static"
 	"github.com/stashapp/stash/pkg/file"

internal/api/routes_movie.go

@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 
 	"github.com/stashapp/stash/internal/static"
 	"github.com/stashapp/stash/pkg/logger"

internal/api/routes_performer.go

@@ -6,7 +6,8 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/models"
 	"github.com/stashapp/stash/pkg/utils"

internal/api/routes_scene.go

@@ -8,7 +8,8 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/manager"
 	"github.com/stashapp/stash/internal/manager/config"
 	"github.com/stashapp/stash/pkg/ffmpeg"

internal/api/routes_studio.go

@@ -6,7 +6,8 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/static"
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/models"

internal/api/routes_tag.go

@@ -6,7 +6,8 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+
 	"github.com/stashapp/stash/internal/static"
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/models"

internal/api/server.go

@@ -21,13 +21,13 @@ import (
 	gqlLru "github.com/99designs/gqlgen/graphql/handler/lru"
 	gqlTransport "github.com/99designs/gqlgen/graphql/handler/transport"
 	gqlPlayground "github.com/99designs/gqlgen/graphql/playground"
-	"github.com/go-chi/chi"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/cors"
+	"github.com/go-chi/httplog"
 	"github.com/gorilla/websocket"
 	"github.com/vearutop/statigz"
 
-	"github.com/go-chi/cors"
-	"github.com/go-chi/httplog"
 	"github.com/stashapp/stash/internal/api/loaders"
 	"github.com/stashapp/stash/internal/build"
 	"github.com/stashapp/stash/internal/manager"
@@ -71,7 +71,7 @@ func Start() error {
 		r.Use(httplog.RequestLogger(httpLogger))
 	}
 	r.Use(SecurityHeadersMiddleware)
-	r.Use(middleware.DefaultCompress)
+	r.Use(middleware.Compress(4))
 	r.Use(middleware.StripSlashes)
 	r.Use(BaseURLMiddleware)
 

internal/manager/apikey.go

@@ -14,15 +14,15 @@ const APIKeySubject = "APIKey"
 
 type APIKeyClaims struct {
 	UserID string `json:"uid"`
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 }
 
 func GenerateAPIKey(userID string) (string, error) {
 	claims := &APIKeyClaims{
 		UserID: userID,
-		StandardClaims: jwt.StandardClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:  APIKeySubject,
-			IssuedAt: time.Now().Unix(),
+			IssuedAt: jwt.NewNumericDate(time.Now()),
 		},
 	}
 

pkg/scraper/cookies.go

@@ -135,7 +135,7 @@ func setCDPCookies(driverOptions scraperDriverOptions) chromedp.Tasks {
 // print cookies whose domain is included in the scraper  config
 func printCDPCookies(driverOptions scraperDriverOptions, msg string) chromedp.Action {
 	return chromedp.ActionFunc(func(ctx context.Context) error {
-		chromeCookies, err := network.GetAllCookies().Do(ctx)
+		chromeCookies, err := network.GetCookies().Do(ctx)
 		if err != nil {
 			return err
 		}

pkg/scraper/mapped.go

@@ -12,10 +12,11 @@ import (
 	"time"
 
 	"github.com/robertkrimen/otto"
+	"gopkg.in/yaml.v2"
+
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/models"
 	"github.com/stashapp/stash/pkg/sliceutil/stringslice"
-	"gopkg.in/yaml.v2"
 )
 
 type mappedQuery interface {

pkg/scraper/stashbox/stash_box.go

@@ -14,11 +14,11 @@ import (
 	"strings"
 
 	"github.com/Yamashou/gqlgenc/client"
+	"github.com/Yamashou/gqlgenc/graphqljson"
+	"github.com/gofrs/uuid/v5"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 
-	"github.com/Yamashou/gqlgenc/graphqljson"
-	"github.com/gofrs/uuid"
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/match"
 	"github.com/stashapp/stash/pkg/models"

pkg/sqlite/regex.go

@@ -3,7 +3,7 @@ package sqlite
 import (
 	"regexp"
 
-	lru "github.com/hashicorp/golang-lru"
+	lru "github.com/hashicorp/golang-lru/v2"
 )
 
 // size of the regex LRU cache in elements.
@@ -14,19 +14,17 @@ import (
 // again.
 const regexCacheSize = 10
 
-var regexCache *lru.Cache
+var regexCache *lru.Cache[string, *regexp.Regexp]
 
 func init() {
-	regexCache, _ = lru.New(regexCacheSize)
+	regexCache, _ = lru.New[string, *regexp.Regexp](regexCacheSize)
 }
 
 // regexFn is registered as an SQLite function as "regexp"
 // It uses an LRU cache to cache recent regex patterns to reduce CPU load over
 // identical patterns.
 func regexFn(re, s string) (bool, error) {
-	entry, ok := regexCache.Get(re)
-	var compiled *regexp.Regexp
-
+	compiled, ok := regexCache.Get(re)
 	if !ok {
 		var err error
 		compiled, err = regexp.Compile(re)
@@ -34,8 +32,6 @@ func regexFn(re, s string) (bool, error) {
 			return false, err
 		}
 		regexCache.Add(re, compiled)
-	} else {
-		compiled = entry.(*regexp.Regexp)
 	}
 
 	return compiled.MatchString(s), nil

scripts/test_db_generator/makeTestDB.go

@@ -15,6 +15,8 @@ import (
 	"strconv"
 	"time"
 
+	"gopkg.in/yaml.v2"
+
 	"github.com/stashapp/stash/pkg/file"
 	"github.com/stashapp/stash/pkg/fsutil"
 	"github.com/stashapp/stash/pkg/hash/md5"
@@ -22,7 +24,6 @@ import (
 	"github.com/stashapp/stash/pkg/sliceutil/intslice"
 	"github.com/stashapp/stash/pkg/sqlite"
 	"github.com/stashapp/stash/pkg/txn"
-	"gopkg.in/yaml.v2"
 )
 
 const batchSize = 50000