Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version bump #90

Merged
merged 1 commit into from
Dec 12, 2024
Merged

Version bump #90

merged 1 commit into from
Dec 12, 2024

Conversation

sudo-bmitch
Copy link
Owner

Fixes issue

Describe the change

Version bump for golang/x/crypto security vulnerability:

  • actions/setup-go to v5.2.0
  • softprops/action-gh-release to v2.2.0
  • davidanson/markdownlint-cli2 to v0.17.0
  • Masterminds/semver/v3 to v3.3.1
  • regclient/regclient to v0.8.0
  • klauspost/compress to v1.17.11
  • golang.org/x/crypto to v0.31.0
  • golang.org/x/sys to v0.28.0

In addition, this adds a "util-golang-update-direct" Makefile command to update only direct Go dependencies

Resolves false positive on GHSA-v778-237x-gjrc (vulnerable code is never called according to osv-scanner, govulncheck and gosec do not include this in their scan).

How to verify it

Changelog text

  • Feat: Add a "util-golang-update-direct" Makefile command to update only direct Go dependencies
  • Sec: Update golang.org/x/crypto to resolve false positive on GHSA-v778-237x-gjrc.

Please verify and check that the pull request fulfills the following requirements

  • Tests have been added or not applicable
  • Documentation has been added, updated, or not applicable
  • Changes have been rebased to main
  • Multiple commits to the same code have been squashed

@sudo-bmitch
Version bump
f027f69 
- actions/setup-go to v5.2.0
- softprops/action-gh-release to v2.2.0
- davidanson/markdownlint-cli2 to v0.17.0
- Masterminds/semver/v3 to v3.3.1
- regclient/regclient to v0.8.0
- klauspost/compress to v1.17.11
- golang.org/x/crypto to v0.31.0
- golang.org/x/sys to v0.28.0

In addition, this adds a "util-golang-update-direct" Makefile command to update only direct Go dependencies

Resolves false positive on GHSA-v778-237x-gjrc

Signed-off-by: Brandon Mitchell <[email protected]>
@sudo-bmitch sudo-bmitch merged commit c24ebea into main Dec 12, 2024
4 checks passed
@sudo-bmitch sudo-bmitch deleted the pr-update-20241212 branch December 12, 2024 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sudo-bmitch