You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest vault/api. This is a follow-up to the upgrade of go-jose/v3 in this repository to make all our dependencies consolidate on v3.
Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that go-jose/v3@3.0.3 was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.
This PR will fail some backports due to go.mod/go.sum conflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.
Description
Upgrade vault/api to latest
Remove triage block for go-jose from scanner config
This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest
vault/api. This is a follow-up to the upgrade ofgo-jose/v3in this repository to make all our dependencies consolidate on v3.Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that
go-jose/v3@3.0.3was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.This PR will fail some backports due to
go.mod/go.sumconflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.Description
vault/apito latesttriageblock forgo-josefrom scanner configTesting & Reproduction steps
CI including Security Scan continue to pass.
Links
Follow-up to hashicorp#20901
PR Checklist
The text was updated successfully, but these errors were encountered: