John Eikenberry
John Eikenberry
Yeah. That was issue #310... the reason I released 0.13.1. :)
Sorry for the red herring and back to the original issue @dizeee... Re-reading your original post I've got 2 questions. 1. Is K8s required to reproduce this? 2. Could you...
This CVE does not impact consul-template and will be handled with normal dependency updates.
Thanks for reporting it!
My guess is dependabot doesn't bump indirect dependencies until the direct dependency bumps it. To put it another way, the dependency that depends on x/text hasn't bumped its version yet.
Could be that Dependabot also analyzes the code paths and found that consul-template doesn't use the features covered by the CVE (which is doesn't). If you check with the [govulncheck](https://go.dev/blog/vuln)...
I can take care of it for the next release. Not worth it in the meantime as that CVE doesn't impact consul-template.
> Not worth it in the meantime [..] I mean its not worth cutting a release for it.
New security scanner can't get past this either so I went ahead and forced the update. It will make it in the next release.
Refactored to have initial client_set vault token and the tokens fetched by VaultAgentTokenQuery to share the same SetToken code to check for the wrap_ttl json as well as the standard...