Skip to content

build(deps): upgrade go crypto module to v0.36.0 #1671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 27, 2025
Merged

build(deps): upgrade go crypto module to v0.36.0 #1671

merged 3 commits into from
Mar 27, 2025

Conversation

kysucix
Copy link
Contributor

@kysucix kysucix commented Mar 26, 2025

What this PR does / why we need it:
Upgrade go crypto module to fix CVE-2025-22869

@Wwwsylvia
Copy link
Member

@kysucix Thanks for the PR. Could you follow the instruction to fix the DCO?

Wwwsylvia
Wwwsylvia reviewed Mar 26, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Mar 26, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.56%. Comparing base (eccaaa9) to head (a4081cb).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1671   +/-   ##
=======================================
  Coverage   84.56%   84.56%           
=======================================
  Files         126      126           
  Lines        5682     5682           
=======================================
  Hits         4805     4805           
  Misses        623      623           
  Partials      254      254

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

kysucix added 2 commits March 26, 2025 14:56
@kysucix
Upgrade go crypto module to fix CVE-2025-22869
3764b7d 
Signed-off-by: Silvano Galliani <sigallia@microsoft.com>
@kysucix
tidy
5d9765a 
Signed-off-by: Silvano Galliani <sigallia@microsoft.com>
@kysucix kysucix force-pushed the user/kysucix/upgrade-crypto branch from a7b3236 to 5d9765a Compare March 26, 2025 13:57
@kysucix
Update to 0.36.0
a4081cb 
Signed-off-by: Silvano Galliani <sigallia@microsoft.com>
@kysucix
Copy link
Contributor Author

kysucix commented Mar 26, 2025

@kysucix Thanks for the PR. Could you follow the instruction to fix the DCO?

I followed the instruction and fixed the pr.

@TerryHowe
Copy link
Member

I guess no assessment on this CVE yet, so no dependabot?

@Wwwsylvia
Copy link
Member

I guess no assessment on this CVE yet, so no dependabot?

Maybe because this is an indirect dependency? I can see versions prior to v0.35.0 are associated with some vulnerabilities.
image

Wwwsylvia
Wwwsylvia approved these changes Mar 27, 2025
View reviewed changes
Copy link
Member

@Wwwsylvia Wwwsylvia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Wwwsylvia Wwwsylvia changed the title Upgrade go crypto module to fix CVE-2025-22869 build(deps): upgrade go crypto module to v0.36.0 Mar 27, 2025
@Wwwsylvia Wwwsylvia merged commit 26551f7 into oras-project:main Mar 27, 2025
8 checks passed
@Wwwsylvia Wwwsylvia mentioned this pull request Apr 24, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Wwwsylvia Wwwsylvia Wwwsylvia approved these changes

@sajayantony sajayantony Awaiting requested review from sajayantony sajayantony is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@SteveLasker SteveLasker Awaiting requested review from SteveLasker SteveLasker is a code owner

@qweeah qweeah Awaiting requested review from qweeah qweeah is a code owner

@TerryHowe TerryHowe Awaiting requested review from TerryHowe TerryHowe is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kysucix @Wwwsylvia @TerryHowe