Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(release-0.14): Update go.mod dependencies [SECURITY] #322

Merged

Conversation

sergenyalcin
Copy link
Collaborator

Description of your changes

This PR updates go.mod dependencies to fix the following:

Name Change Type Vulnerability Severity
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 -> v1.6.0 go-module GHSA-m5vv-6r4h-3vj9 Medium
golang.org/x/crypto v0.21.0 -> v0.31.0 go-module GHSA-v778-237x-gjrc High
github.com/golang-jwt/jwt/v4 v4.5.0 -> v4.5.1 go-module GHSA-29wx-vh33-7x7r Low
stdlib go1.22.1 -> go1.22.7 go-module CVE-2024-34158 High
stdlib go1.22.1 -> go1.22.7 go-module CVE-2024-34156 High
stdlib go1.22.1 -> go1.22.7 go-module CVE-2024-34155 Medium

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

Signed-off-by: Sergen Yalçın <yalcinsergen97@gmail.com>
Copy link
Collaborator

@turkenf turkenf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @sergenyalcin, LGTM.

@sergenyalcin sergenyalcin merged commit e2fc985 into crossplane-contrib:release-0.14 Dec 18, 2024
7 checks passed
@sergenyalcin sergenyalcin deleted the fix-cve-0.14 branch December 20, 2024 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants