versions: Bump golang.org/x/oauth2 #11253
Conversation
There was a problem hiding this comment.
The linked CVE is for Traefik, we might want to link https://pkg.go.dev/vuln/GO-2025-3488 instead.
Right or/and https://www.cve.org/CVERecord?id=CVE-2025-22868 if we want to advertise a more generic CVE id (might be easier for downstream). Please update both the commit and PR description @stevenhorsman . |
Update module to remediate [CVE-2025-22868](https://www.cve.org/CVERecord?id=CVE-2025-22868) Signed-off-by: stevenhorsman <steven@uk.ibm.com>
499fef5 to
b382582
Compare
That's weird. I just added the CVE number (which is correct). It's github that chooses to render it as a hyperlink that points to the wrong thing (the Traefik record), so I don't think what I did was incorrect? |
There was a problem hiding this comment.
The linked CVE is for Traefik, we might want to link https://pkg.go.dev/vuln/GO-2025-3488 instead.
That's weird. I just added the CVE number (which is correct). It's github that chooses to render it as a hyperlink that points to the wrong thing (the Traefik record), so I don't think what I did was incorrect?
Yeah you're doing right and GH is definitely doing wrong : they should have a more appropriate link for the CVE record and the UI should be smart enough to not render the text part within an explicit link 😉
Thanks @stevenhorsman !
There was a problem hiding this comment.
Thanks @stevenhorsman for tackling this, while I start to wonder if we could reduce the diffs every time vendor of golang changes (perhaps put it into a git submodule 🧐?)
Update module to remediate CVE-2025-22868