Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go modules to address dependency CVE #172

Merged
merged 1 commit into from
Oct 20, 2023
Merged

Update go modules to address dependency CVE #172

merged 1 commit into from
Oct 20, 2023

Conversation

fheinecke
Copy link
Contributor

The new Orca tool is reporting a 7.5 CVE in the Golang yaml dependency. Most of the dependencies are a little out of date so I've gone ahead and bumped them all.

We don't have any tests for the bot, but it still compiles ¯\(ツ)

@fheinecke fheinecke requested review from a team October 20, 2023 22:02
@jentfoo
Copy link
Contributor

jentfoo commented Oct 20, 2023

We should add this project to the Dependabot config as well: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml

@reedloden reedloden merged commit 7ee898d into main Oct 20, 2023
7 checks passed
@reedloden
Copy link
Contributor

We should add this project to the Dependabot config as well: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml

That's for automated version updates, no? I thought security updates were separate.

@jentfoo
Copy link
Contributor

jentfoo commented Oct 20, 2023
edited
Loading

@reedloden Sorta. If you have no Dependabot configuration at all you get CVE only updates. But I believe once you create a Dependabot configuration it will only scan projects which are defined in that config. If we still only want CVE updates we need to set the open-pull-requests-limit to 0

jentfoo added a commit that referenced this pull request Oct 20, 2023
@jentfoo
Add bot to Dependabot for CVE updates
1486e95 
I believe this is why the flagged updates in PR #172 were missed.
@jentfoo jentfoo mentioned this pull request Oct 20, 2023
Merged
jentfoo added a commit that referenced this pull request Oct 23, 2023
@jentfoo
Add bot to Dependabot for CVE updates
3810c6c 
I believe this is why the flagged updates in PR #172 were missed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jentfoo jentfoo jentfoo approved these changes

@reedloden reedloden reedloden approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fheinecke @jentfoo @reedloden