For each feature release, need to update the following dependencies.

• Component container base image (ex: BCI)
• Kubernetes min version support
  • This can be determined by the upstream Kubernetes support versions, Longhorn usage metrics info, Rancher downstream provisioned cluster version, or other factors.
• CSI sidecar versions
• Go version
• Kubernetes library versions
• Major, Minor, Patch, and Digest dependent libraries. Major and Minor dependency updates will be individually reviewed.

1. When updating versions, it is necessary to ensure that there will be no breaking changes causing incompatibility.
2. DISALLOW updating the dependencies with major or minor version changes, as they could cause breaking changes.
3. To resolve vulnerability issues, update the dependencies with the patch version only to ensure compatibility.
4. If need to update minor versions of dependencies for inevitable reasons such as fixing CVE issues, need to ensure compatibility and run complete end-to-end tests.

• Component container base image

• Go version

• Patch and Digest dependent libraries

• Kubernetes libs

• CSI side car components

  According to Kubernetes CSI Developer Documentation, a minor version release won't break backwards compatibility. Thus,

  • if a minor version has already fixed the CVE issues, update the minor version
  • if upstream hasn't fixed the CVE issues in the minor or patch version yet, backport the fixes in the major release to our forked repos or fix the issues by ourselves. Then, build the image by the Build CSI Sidecar Images

• https://kubernetes.io/releases/patch-releases/#support-period
• https://kubernetes.io/docs/reference/using-api/deprecation-guide/
• https://endoflife.date/kubernetes
• https://github.com/longhorn/longhorn/issues/7001, https://github.com/longhorn/longhorn/issues/2757, https://github.com/longhorn/longhorn/issues/3891