Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): Update module golang.org/x/net to v0.33.0 #228

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

coded9
Copy link

@coded9 coded9 commented Dec 19, 2024

Fix for CVE-2024-45338

@ahmetb
Copy link
Collaborator

ahmetb commented Dec 19, 2024

Can we not do these? It's extremely annoying to keep getting these PRs and none of them has actually ever been an applicable attack vector for this software.

@coded9
Copy link
Author

coded9 commented Dec 19, 2024

Yeah, I completely agree. But, most companies have strict compliance requirements on allowing any library with critical/high vulnerabilities.

@ahmetb
Copy link
Collaborator

ahmetb commented Dec 19, 2024

It's unclear to me why dependabot isn't sending this PR if it's a high impact vulnerability. :-/

@coded9
Copy link
Author

coded9 commented Dec 20, 2024

I think it could be due to weekly schedule configured here

@stefanb
Copy link
Contributor

stefanb commented Dec 20, 2024

I have noticed that @dependabot had problems with this update in other repositories, because when i triggered it manually:

image

...it failed:

image

In the logs:

updater | 2024/12/20 10:28:59 INFO <job_936012345> Latest version is 0.33.0
updater | 2024/12/20 10:28:59 INFO <job_936012345> Requirements to unlock update_not_possible
updater | 2024/12/20 10:28:59 INFO <job_936012345> Requirements update strategy 
updater | 2024/12/20 10:28:59 INFO <job_936012345> The latest possible version of golang.org/x/net that can be installed is 0.23.0
updater | 2024/12/20 10:28:59 INFO <job_936012345> The earliest fixed version is .

It looks like an issue with either @dependabot or the vulnerability data.

@ahmetb
Copy link
Collaborator

ahmetb commented Dec 20, 2024

This fix ideally should be done at https://github.com/grpc/grpc-go/blob/master/go.mod.

Some offline probe that runs in a container is far less riskier than the actual grpc server in terms of these vulnerabilities.

@coded9
Copy link
Author

coded9 commented Dec 24, 2024

@ahmetb Do we want to wait until that gets addressed in grpc-go?

@stefanb
Copy link
Contributor

stefanb commented Dec 24, 2024

It is being done in upstream in a rather large PR (because it is a monorepo):

Doing the small bump locally here may be quicker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants