Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dep: update go-autorest (and indirect dependency on vulnerable jwt-go) (#5660) #5661

Merged
merged 1 commit into from
Jun 9, 2024
Merged

dep: update go-autorest (and indirect dependency on vulnerable jwt-go) (#5660) #5661

merged 1 commit into from
Jun 9, 2024

Conversation

ti-chi-bot
Copy link
Member

This is an automated cherry-pick of #5660

What problem does this PR solve?

Update Azure/go-autorest to v0.5.13 from v0.5.2.

This in turn solves the use of the archived 'dgrijalva/jwt-go' in favour of 'golang-jwt/jwt' which resolves some vulnerabilities.

What is changed and how does it work?

Change in upstream code dependency to latest, resolving CVE in dgrijalva/jwt-go (archived) in favour of golang-jwt/jwt

Code changes

  • Has Go code change
  • Has CI related scripts change

Tests

  • Unit test
  • E2E test
  • Manual test
  • No code

Side effects

  • Breaking backward compatibility
  • Other side effects:

Related changes

  • Need to cherry-pick to the release branch
  • Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

NONE

@donbowman @ti-chi-bot
dep: update go-autorest (and indirect dependency on vulnerable jwt-go)
bf8e25a 
Update Azure/go-autorest to v0.5.13 from v0.5.2. This in turn
solves the use of the archived 'dgrijalva/jwt-go' in
favour of 'golang-jwt/jwt' which resolves some vulnerabilities.
@ti-chi-bot ti-chi-bot mentioned this pull request Jun 9, 2024
Merged
10 tasks
@ti-chi-bot ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Jun 9, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign z2665 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@csuzhangxc csuzhangxc merged commit 27d419c into pingcap:release-1.6 Jun 9, 2024
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@csuzhangxc csuzhangxc

Labels
contribution first-time-contributor size/M type/cherry-pick-for-release-1.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ti-chi-bot @csuzhangxc @donbowman