Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): Update goleveldb dependency to use our fork #191

Merged
merged 5 commits into from
Aug 22, 2024
Merged

build(deps): Update goleveldb dependency to use our fork #191

merged 5 commits into from
Aug 22, 2024

Conversation

alesforz
Copy link
Contributor

@alesforz alesforz commented Aug 22, 2024
edited
Loading

Context

In #3754 we are updating dependencies that are vulnerable to CVEs or that import other modules that are vulnerable to CVEs.

goleveldb imports google.golang.org/protobuf at version < v1.33.0 because of its dependency on outdated versions of github.com/onsi/ginkgo and github.com/onsi/gomega.
protobuf < v1.33.0 is affected by CVE-2024-24786. Therefore, we want to update goleveldb dependencies so that it uses protobuf >= v.1.33.0.

Changes

This PR updates the goleveldb to use our fork importing protobuf's version to v1.34.1, which isn't vulnerable to CVE-2024-24786.

PR checklist

- [ ] Tests written/updated

  • Changelog entry added in .changelog (we use unclog to manage our changelog)
    - [ ] Updated relevant documentation (docs/ or spec/) and code comments

@alesforz alesforz changed the title build(deps): Update goleveldb dependency to use our fork build(deps): Update goleveldb dependency to use our fork Aug 22, 2024
@alesforz alesforz self-assigned this Aug 22, 2024
@alesforz alesforz added the dependencies Pull requests that update a dependency file label Aug 22, 2024
@alesforz alesforz marked this pull request as ready for review August 22, 2024 14:41
@alesforz alesforz requested a review from a team as a code owner August 22, 2024 14:41
@alesforz alesforz merged commit 45337a9 into v0.9.x Aug 22, 2024
4 checks passed
@alesforz alesforz deleted the alesforz/update-goleveldb-dep branch August 22, 2024 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@alesforz alesforz

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alesforz