postgres icon indicating copy to clipboard operation
postgres copied to clipboard

Published 20 hours ago verified publisher icon go-gorm

Bumping versions

Open rodrigovsilva opened this issue 2 years ago • 0 comments

  • [x] Do only one thing
  • [x] Non breaking API changes
  • [x] Tested

What did this pull request do?

Previous version of golang.org/x/crypto has some important security issues already fixed in the latest version.

Vulnerability: GHSA-8c26-wmh5-6g9v Module: golang.org/x/crypto Risk: UNKNOWN Risk Description: Attackers can cause a crash in SSH servers when the server Previously installed version: v0.0.0-20210921155107-089bfa567519 Fixed version: 0.0.0-20220314234659-1baeb1ce4c0b

Vulnerability: cve-2022-27191 Module: golang.org/x/crypto Risk: HIGH Risk Description: golang: crash in a golang.org/x/crypto/ssh server Previously installed version: v0.0.0-20210921155107-089bfa567519 Fixed version: 0.0.0-20220314234659-1baeb1ce4c0b

As I'm proposing dependencies version updates, I've decided to use golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa instead 0.0.0-20220314234659-1baeb1ce4c0b because is more recent.

User Case Description

I'm running Trivy for scanning some vulnerabilities and I'm updating versions proactively. Any Trivy vulnerability is a fundamental blocker for our CICD process and keeping code quality.

I hope you consider this update for the next release.

rodrigovsilva avatar Aug 03 '22 09:08 rodrigovsilva