-
Notifications
You must be signed in to change notification settings - Fork 518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vulnerable dependency #1269
Comments
This and more is included in #1260 In the meantime, the vulnerability does not affect any user of ggcr, and can safely be dismissed. |
Is there a write-up somewhere as to why this isn't an issue for Also is there an ETA on merging on the above-mentioned PR and a release? Appreciate the quick turn-around. Thanks |
The linked CVE relates to running containers, which this library never does, and does not let users do. It includes containerd as a transitive dependency because it depends on docker code, to allow loading images into the daemon storage. No ETA on merging that PR, but I'll ping some folks. |
👍 |
Thanks, I tried to update the ggcr.
ran into this. |
This is a known issue with how go handles module moves. I get around it by changing Edit: google/gnostic#262 is the but I usually refer to. |
I tried with go 1.16 and didn't help either.
|
Alrighty, I'll give this a try later today |
Thanks! |
Describe the bug
ossf/scorecard depends on this project. We have a
high
vulnerability that was reported by dependabot for https://deps.dev/advisory/GHSA/GHSA-mvff-h3cj-wj9cAfter doing some research we realized we don't directly consume that version of the package
github.com/containerd/containerd
1.5.8
and it is being used bygo-containerregistry
ossf/scorecard#1537We would like to know when would this package be upgraded to avoid this CVE.
The text was updated successfully, but these errors were encountered: