You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The k8schain package depends on docker-credential-acr-env whose last release was 2 years ago and go module dependencies have not been updated since a year ago.
Some of its imported packages have known vulnerabilities, and even if the package itself does not rely on any vulnerable feature it still triggers some security scanners.
Additional context
Related to: #1042 (implementing it would not solve the fact the ACR cred helper is unmaintained, but it would avoid including it in the dependency tree by default)
The text was updated successfully, but these errors were encountered:
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.
Describe the bug
The
k8schain
package depends on docker-credential-acr-env whose last release was 2 years ago and go module dependencies have not been updated since a year ago.Some of its imported packages have known vulnerabilities, and even if the package itself does not rely on any vulnerable feature it still triggers some security scanners.
Additional context
Related to: #1042 (implementing it would not solve the fact the ACR cred helper is unmaintained, but it would avoid including it in the dependency tree by default)
The text was updated successfully, but these errors were encountered: