Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update containerd/continuity dependency #330

Merged
merged 1 commit into from Apr 21, 2022
Merged

Update containerd/continuity dependency #330

merged 1 commit into from Apr 21, 2022

Conversation

nadinelyab
Copy link
Contributor

v0.2.2 of containerd/continuity has a dependency that contains a CVE (CVE-2020-26160 on github.com/dgrijalva/jwt-go). This pull requests updates the version of containerd/continuity to v0.3.0 which does not contain the vulnerable dependency.

@mfridman mfridman mentioned this pull request Apr 14, 2022
Merged
@mfridman
Copy link
Collaborator

mfridman commented Apr 15, 2022
edited

This indirect dependency was pulled in because of https://github.com/ory/dockertest.

I've submitted a patch upstream ory/dockertest#352 to update https://github.com/containerd/continuity to the latest version.

You should now be able to update the ory/dockertest dependency within goose. Do you want to update this PR?

@nadinelyab nadinelyab force-pushed the nelyabroudi/upgrade-containerd-continuity-dependency branch from bef4b0d to 4dfb286 Compare April 18, 2022 12:51
@nadinelyab
Copy link
Contributor Author

Thanks! Updated, let me know if that looks good.

@nadinelyab
Copy link
Contributor Author

Hi @mfridman
Any update on this?

@mfridman
Copy link
Collaborator

Sorry, got a bit swamped recently.

@nadinelyab Since upstream hasn't pushed a release yet, can you do:

go get github.com/ory/dockertest/v3@e38b9742dc7ddbc2e7f3079103a194b890d4ab85
go mod tidy
go mod verify

That hash is the current latest commit on `v3 branch. That should fix it up.

@nadinelyab nadinelyab force-pushed the nelyabroudi/upgrade-containerd-continuity-dependency branch from 4dfb286 to 5ff1045 Compare April 21, 2022 23:10
@nadinelyab
Copy link
Contributor Author

Ok thanks hopefully this is alright

@mfridman
Copy link
Collaborator

mfridman commented Apr 21, 2022
edited

Awesome, thank you for your contribution @nadinelyab.

Sorry for the back and forth, whenever someone submits a change to go.mod I always pull the PR and and verify standard module commands produce no changes. Such as go mod tidy and all deps are verified with go mod verify. We should probably add a check for this in CI 🤔

@mfridman mfridman merged commit 6fc031a into pressly:master Apr 21, 2022
@VojtechVitek
Copy link
Collaborator

👍 Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mfridman mfridman mfridman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nadinelyab @mfridman @VojtechVitek