Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities on golang.org/x/net #12956

Open
navas-op opened this issue Apr 16, 2024 · 2 comments
Open

Security vulnerabilities on golang.org/x/net #12956

navas-op opened this issue Apr 16, 2024 · 2 comments
Labels
question/support

Comments

@navas-op
Copy link

Security vulnerabilities on golang.org/x/net/http2 v0.17.0
Which have been fixed on fixed in 0.23.0.

GHSA-4v7x-pqxf-cx7m

golang.org/x/net is being pulled here which includes http2 as well.
golang.org/x/net v0.17.0 // indirect
https://github.com/helm/helm/blob/main/go.mod#L150

Can this package be upgraded?
@gjenkins8
Copy link
Contributor

Helm doesn't serve (http2 connections). I don't believe it is affected by this CVE. Please work with your vendor (presumably) to reduce false positives.

@navas-op
Copy link
Author

navas-op commented Apr 18, 2024
edited

May be helm is not directly pulling this dependency. But it could be pulled from https://github.com/helm/helm/blob/main/go.mod#L150 indirect right?

When I do a go mod download on go.mod I can see http2 getting downloaded in ${HOME}/go/pkg/mod/golang.org/x/net@v0.17.0/http2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question/support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gjenkins8 @navas-op