Skip to content

chore(deps): security update #13381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-2.9
Choose a base branch
from
Open

chore(deps): security update #13381

wants to merge 1 commit into from

Conversation

kumahq[bot]
Copy link
Contributor

@kumahq kumahq bot commented Apr 11, 2025
edited
Loading

Scan output:

Before update:

OSV URL CVSS ECOSYSTEM PACKAGE VERSION SOURCE
https://osv.dev/GO-2025-3601 6.5 Go helm.sh/helm/v3 3.16.1 go.mod
https://osv.dev/GHSA-4hfp-h4cw-hj8p
https://osv.dev/GO-2025-3602 6.5 Go helm.sh/helm/v3 3.16.1 go.mod
https://osv.dev/GHSA-5xqw-8hwv-wg92
------------------------------------- ------ ----------- --------------------------- --------- --------
Uncalled vulnerabilities
------------------------------------- ------ ----------- --------------------------- --------- --------
https://osv.dev/GO-2022-0635 Go github.com/aws/aws-sdk-go 1.49.6 go.mod
https://osv.dev/GO-2022-0646 Go github.com/aws/aws-sdk-go 1.49.6 go.mod
https://osv.dev/GO-2025-3595 5.3 Go golang.org/x/net 0.36.0 go.mod
https://osv.dev/GHSA-vvgc-356p-c3xw

After update:

OSV URL CVSS ECOSYSTEM PACKAGE VERSION SOURCE
Uncalled vulnerabilities
------------------------------ ------ ----------- --------------------------- --------- --------
https://osv.dev/GO-2022-0635 Go github.com/aws/aws-sdk-go 1.49.6 go.mod
https://osv.dev/GO-2022-0646 Go github.com/aws/aws-sdk-go 1.49.6 go.mod

If a package is showing up in the scan but the script is not trying to update it then it might be because there is no fixed version yet.

@kumahq kumahq bot requested a review from a team as a code owner April 11, 2025 03:18
@kumahq kumahq bot added dependencies Pull requests that update a dependency file release-2.9 labels Apr 11, 2025
@kumahq kumahq bot requested review from lukidzi and Icarus9913 April 11, 2025 03:18
Icarus9913
Icarus9913 previously approved these changes Apr 11, 2025
View reviewed changes
@Icarus9913 Icarus9913 enabled auto-merge (squash) April 11, 2025 06:30
@Icarus9913
Copy link
Contributor

/format

@kumahq kumahq bot force-pushed the chore/security-updates-release-2.9 branch from 285cd8a to 2c2d4b4 Compare April 12, 2025 03:16
Icarus9913
Icarus9913 requested changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@Icarus9913 Icarus9913 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This security update aims to upgrade helm.sh/helm/v3 from v3.14.3 to v3.17.3. However, the new minor version helm relies on the higher version k8s libs. We won't update the k8s libs on old branches since we have different support matrix.

@kumahq
chore(deps): security update
8a66f3b 
Signed-off-by: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com>
@kumahq kumahq bot force-pushed the chore/security-updates-release-2.9 branch from 2c2d4b4 to 8a66f3b Compare April 17, 2025 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Icarus9913 Icarus9913 Icarus9913 requested changes

@lukidzi lukidzi Awaiting requested review from lukidzi lukidzi is a code owner automatically assigned from kumahq/kuma-maintainers

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file release-2.9
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Icarus9913