-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prepare for v0.19.0 release #247
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we need to bump go-jose otherwise we won't get past security scanner for the release
make dev && scan binary bin/vault-plugin-auth-kubernetes
CGO_ENABLED=0 go build -o bin/vault-plugin-auth-kubernetes cmd/vault-plugin-auth-kubernetes/main.go
go: downloading k8s.io/api v0.29.3
Scanned file:{path:"bin/vault-plugin-auth-kubernetes"} in 4.7s - found 1 result(s)
» Go Modules Scanner
⚠︎ found OSV reported vulnerability GO-2024-2631 in github.com/go-jose/go-jose/v4@v4.0.1
bin/vault-plugin-auth-kubernetes
Co-authored-by: Milena Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
go-jose v4.0.2 seems to still upset the scanner, although https://pkg.go.dev/vuln/GO-2024-2631 seems to think it was resolved. @fairclothjm says go-jose is releasing another patch update next week, so maybe things will be better then? |
It looks like v2.6.3 of go-jose avoids the need to try to update to v3 or v4, although it does require a rename of the import from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
This is the Release/changelog PR for vault-plugin-auth-kubernetes.
Of note here are updates to go-jose 2.6.0 to 2.6.3 (a direct dependency), and go-jose 4.0.1 to 4.0.3 (an indirect dependency) to resolve GO-2024-2631.