Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare for v0.19.0 release #247

Merged
merged 9 commits into from
May 22, 2024
Merged

Prepare for v0.19.0 release #247

merged 9 commits into from
May 22, 2024

Conversation

kpcraig
Copy link
Contributor

@kpcraig kpcraig commented May 20, 2024
edited
Loading

This is the Release/changelog PR for vault-plugin-auth-kubernetes.

Of note here are updates to go-jose 2.6.0 to 2.6.3 (a direct dependency), and go-jose 4.0.1 to 4.0.3 (an indirect dependency) to resolve GO-2024-2631.

@kpcraig kpcraig requested a review from a team as a code owner May 20, 2024 17:32
fairclothjm
fairclothjm reviewed May 20, 2024
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we need to bump go-jose otherwise we won't get past security scanner for the release

make dev && scan binary bin/vault-plugin-auth-kubernetes
CGO_ENABLED=0 go build -o bin/vault-plugin-auth-kubernetes cmd/vault-plugin-auth-kubernetes/main.go
go: downloading k8s.io/api v0.29.3
Scanned file:{path:"bin/vault-plugin-auth-kubernetes"} in 4.7s - found 1 result(s)
  » Go Modules Scanner
    ⚠︎ found OSV reported vulnerability GO-2024-2631 in github.com/go-jose/go-jose/v4@v4.0.1
        bin/vault-plugin-auth-kubernetes

kpcraig and others added 2 commits May 20, 2024 13:44
@kpcraig @Zlaticanin
Update CHANGELOG.md
66d3975 
Co-authored-by: Milena Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
@kpcraig
bump jose
aea924b
@kpcraig
Copy link
Contributor Author

kpcraig commented May 20, 2024

go-jose v4.0.2 seems to still upset the scanner, although https://pkg.go.dev/vuln/GO-2024-2631 seems to think it was resolved.

@fairclothjm says go-jose is releasing another patch update next week, so maybe things will be better then?

@kpcraig
Copy link
Contributor Author

kpcraig commented May 21, 2024

It looks like v2.6.3 of go-jose avoids the need to try to update to v3 or v4, although it does require a rename of the import from gopkg.in/square/go-jose to github.com/go-jose/go-jose (gopkg.in/go-jose/go-jose is also valid, but if we do move to v4, this is more future-proof)

@benashz benashz self-requested a review May 22, 2024 13:54
benashz
benashz approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kpcraig kpcraig merged commit e4b399e into main May 22, 2024
9 checks passed
@kpcraig kpcraig deleted the release/v0.19.0 branch May 22, 2024 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm left review comments

@Zlaticanin Zlaticanin Zlaticanin left review comments

@benashz benashz benashz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kpcraig @fairclothjm @benashz @Zlaticanin