Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor: github.com/tonistiigi/[email protected] #5529

Merged
merged 1 commit into from
Nov 19, 2024
Merged

vendor: github.com/tonistiigi/[email protected] #5529

merged 1 commit into from
Nov 19, 2024

Conversation

austinvazquez
Copy link
Contributor

@austinvazquez austinvazquez commented Nov 18, 2024
edited
Loading

This change vendors dependency updates to silence false positive warnings for CVE-2024-51744.

  • github.com/tonistiigi/[email protected]
    • Drops dependency on github.com/golang-jwt/jwt/v4

@github-actions github-actions bot added the area/dependencies Pull requests that update a dependency file label Nov 18, 2024
@austinvazquez austinvazquez marked this pull request as ready for review November 18, 2024 19:16
@austinvazquez austinvazquez marked this pull request as draft November 18, 2024 19:35
@austinvazquez austinvazquez changed the title vendor: github.com/golang-jwt/jwt/[email protected] [WIP]: vendor: github.com/golang-jwt/jwt/[email protected] Nov 18, 2024
@austinvazquez
Copy link
Contributor Author

github.com/golang-jwt/jwt/v4 module is required via github.com/tonistiigi/go-actions-cache dependency. Considering alternative to update github.com/tonistiigi/go-actions-cache dependency which no longer requires github.com/golang-jwt/jwt/v4 to resolve the issue. Currently testing in fork.

@austinvazquez austinvazquez changed the title [WIP]: vendor: github.com/golang-jwt/jwt/[email protected] [WIP]: vendor: golang.org/x/[email protected]; github.com/tonistiigi/[email protected] Nov 18, 2024
@austinvazquez austinvazquez changed the title [WIP]: vendor: golang.org/x/[email protected]; github.com/tonistiigi/[email protected] vendor: golang.org/x/[email protected]; github.com/tonistiigi/[email protected] Nov 18, 2024
@austinvazquez austinvazquez marked this pull request as ready for review November 18, 2024 20:12
@crazy-max
Copy link
Member

  • golang.org/x/[email protected] (Required for github.com/tonistiigi/go-actions-cache@latest update)

Don't think we need this one: https://github.com/tonistiigi/go-actions-cache/blob/394979b8119e1ceb922c4e2a72c0ccf70ba2bdf7/go.mod#L10

Just update of go-actions-cache module should be enough

@crazy-max crazy-max mentioned this pull request Nov 19, 2024
Closed
@austinvazquez
vendor: github.com/tonistiigi/[email protected]
3cf849f 
…394979b8119e

Signed-off-by: Austin Vazquez <[email protected]>
@austinvazquez austinvazquez changed the title vendor: golang.org/x/[email protected]; github.com/tonistiigi/[email protected] vendor: github.com/tonistiigi/[email protected] Nov 19, 2024
@austinvazquez
Copy link
Contributor Author

Nice catch @crazy-max , that dependency was updated when I rev'd go-actions-cache but doesn't seem to be required.

@crazy-max crazy-max added this to the v0.18.0 milestone Nov 19, 2024
@crazy-max crazy-max merged commit 5d40a3a into moby:master Nov 19, 2024
94 checks passed
@austinvazquez austinvazquez deleted the vendor-golang-jwt-v4.5.1 branch November 19, 2024 16:47
@austinvazquez austinvazquez mentioned this pull request Nov 21, 2024
Merged
This was referenced Nov 21, 2024
Merged
Merged
This was referenced Nov 21, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
v0.18.0
Development

Successfully merging this pull request may close these issues.
2 participants
@austinvazquez @crazy-max