Skip to content

Pending upstream fix: vexctl: GHSA-4qg8-fj49-pxjh and GHSA-f83f-xpx7-ffpw #27941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jamie-albert merged 1 commit into from
Dec 15, 2025
Merged

Pending upstream fix: vexctl: GHSA-4qg8-fj49-pxjh and GHSA-f83f-xpx7-ffpw #27941

jamie-albert merged 1 commit into from
Dec 15, 2025

Conversation

@debasishbsws
Copy link
Member

@debasishbsws debasishbsws commented Dec 15, 2025

GHSA-f83f-xpx7-ffpw:

          note: |
            The dependency github.com/sigstore/timestamp-authority cannot be updated from v1.2.9 to v2.0.3 because it is an indirect dependency
            pulled in by github.com/sigstore/cosign/v2, and the current cosign v2.x releases (up to v2.6.1) all depend on timestamp-authority v1.x;
            upgrading to cosign v3 to potentially get timestamp-authority v2 is not feasible as it introduces breaking API changes
            (e.g., sign.SignerFromKeyOpts is undefined), which would require significant refactoring of attestation.go and other signing-related code in vexctl.

GHSA-4qg8-fj49-pxjh:

          note: |
            The dependency github.com/sigstore/fulcio cannot be updated to v1.8.3 because the API has changed and
            cryptoutils.ValidatePubKey is now undefined; resolving this requires upgrading to cosign v3, which is
            not feasible as it introduces breaking API changes(e.g., sign.SignerFromKeyOpts is undefined) that
            would require significant refactoring of attestation.go and other signing-related code in vexctl.

@debasishbsws
Pending upstream fix: for GHSA-4qg8-fj49-pxjh and GHSA-f83f-xpx7-ffpw
bfb73c6 
GHSA-f83f-xpx7-ffpw:
          note: |
            The dependency github.com/sigstore/timestamp-authority cannot be updated from v1.2.9 to v2.0.3 because it is an indirect dependency
            pulled in by github.com/sigstore/cosign/v2, and the current cosign v2.x releases (up to v2.6.1) all depend on timestamp-authority v1.x;
            upgrading to cosign v3 to potentially get timestamp-authority v2 is not feasible as it introduces breaking API changes
            (e.g., sign.SignerFromKeyOpts is undefined), which would require significant refactoring of attestation.go and other signing-related code in vexctl.

GHSA-4qg8-fj49-pxjh:
          note: |
            The dependency github.com/sigstore/fulcio cannot be updated to v1.8.3 because the API has changed and
            cryptoutils.ValidatePubKey is now undefined; resolving this requires upgrading to cosign v3, which is
            not feasible as it introduces breaking API changes(e.g., sign.SignerFromKeyOpts is undefined) that
            would require significant refactoring of attestation.go and other signing-related code in vexctl.

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
This was referenced Dec 15, 2025
Closed
Closed
@jamie-albert jamie-albert changed the title Pending upstream fix: for GHSA-4qg8-fj49-pxjh and GHSA-f83f-xpx7-ffpw Pending upstream fix: vexctl: GHSA-4qg8-fj49-pxjh and GHSA-f83f-xpx7-ffpw Dec 15, 2025
@jamie-albert jamie-albert added this pull request to the merge queue Dec 15, 2025
Merged via the queue into wolfi-dev:main with commit 80714ec Dec 15, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamie-albert jamie-albert jamie-albert approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@debasishbsws @jamie-albert