You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have gone through the code and noticed that a 'hack' is used to install these products ( ./hack/tool-versions.sh)
As of right now current kustomize version is 4.5.2 and helm is at 3.8.1 but the before mentioned file points to kustomize-4.4.1 and helm-3.8.0. Which are outdated.
Also git-lfs is installed with apt-get and it installs old version compared to what latest release is on https://github.com/git-lfs/git-lfs. Latest version available is 3.1.2 where on ArgoCD image it's 2.13.2. If I understand correctly package is no longer updated in standard apt sources - please check this https://packagecloud.io/github/git-lfs/install#bash-deb
Motivation
Vulnerability management - the tools used are of older versions compared to what we have in the community.
I have scanned images with the these tools and it's showing quite a lot of CVEs against those tools.
Proposal
Write extra set of code to get latest version of kustomize and helm or make sure to include latest version when doing a release.
Maybe similar hack approach should be used for git-lfs
The text was updated successfully, but these errors were encountered:
Summary
I have gone through the code and noticed that a 'hack' is used to install these products ( ./hack/tool-versions.sh)
As of right now current kustomize version is 4.5.2 and helm is at 3.8.1 but the before mentioned file points to kustomize-4.4.1 and helm-3.8.0. Which are outdated.
Also git-lfs is installed with apt-get and it installs old version compared to what latest release is on https://github.com/git-lfs/git-lfs. Latest version available is 3.1.2 where on ArgoCD image it's 2.13.2. If I understand correctly package is no longer updated in standard apt sources - please check this https://packagecloud.io/github/git-lfs/install#bash-deb
Motivation
Vulnerability management - the tools used are of older versions compared to what we have in the community.
I have scanned images with the these tools and it's showing quite a lot of CVEs against those tools.
Proposal
Write extra set of code to get latest version of kustomize and helm or make sure to include latest version when doing a release.
Maybe similar hack approach should be used for git-lfs
The text was updated successfully, but these errors were encountered: