Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade go-getter dependency in cosmovisor and x/upgrade #20525

Closed
julienrbrt opened this issue Jun 3, 2024 · 0 comments · Fixed by #20573
Closed

Upgrade go-getter dependency in cosmovisor and x/upgrade #20525

julienrbrt opened this issue Jun 3, 2024 · 0 comments · Fixed by #20573
Assignees
@julienrbrt
Labels
C:Cosmovisor Issues and PR related to Cosmovisor dependencies Pull requests that update a dependency file

Comments

@julienrbrt
Copy link
Member

Cosmovisor v1.5.0 currently uses x/upgrade v0.0.0-20230614103911-b3da8bb4e801
We need to bump go-getter in x/upgrade of release/v0.50.x and make cosmovisor use that version.

This is because the current go-getter version cosmovisor (up to 1.5.0) is lower than 1.7.4, which is vulnerable to this: GHSA-q64h-39hv-4cf7.

Making it vulnerable to malicious upgrade proposals with git urls (which would hardly pass, and ever get executed, but we should still fix it).

ref: #20067
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julienrbrt julienrbrt

Labels
C:Cosmovisor Issues and PR related to Cosmovisor dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): Bump cosmossdk.io/x/upgrade from 0.1.2 to 0.1.3 in /tools/cosmovisor cosmos/cosmos-sdk
1 participant
@julienrbrt