Skip to content

Security dependency bumps for v2.4.3 (go-jose/v4, otel/sdk). Closes #4974, #4976#4995

Merged
kaidaguerre merged 1 commit into
v2.4.xfrom
release-prep-security-bumps
May 19, 2026
Merged

Security dependency bumps for v2.4.3 (go-jose/v4, otel/sdk). Closes #4974, #4976#4995
kaidaguerre merged 1 commit into
v2.4.xfrom
release-prep-security-bumps

Conversation

@kaidaguerre
Copy link
Copy Markdown
Contributor

@kaidaguerre kaidaguerre commented May 19, 2026

Summary

Security-driven dependency bumps for the v2.4.3 release line, plus the v2.4.3 CHANGELOG entry.

Applied (verified present in the module graph via go mod why):

Package From To CVE(s)
github.com/go-jose/go-jose/v4 v4.1.3 v4.1.4 CVE-2026-34986
go.opentelemetry.io/otel/sdk (+ otel, metric, sdk/metric, trace) v1.40.0 v1.43.0 CVE-2026-24051, CVE-2026-39883

golang.org/x/sys moved v0.40.0 -> v0.42.0 as a transitive consequence of the otel v1.43.0 bump (pulled in by go mod tidy).

The CHANGELOG v2.4.3 entry also records the already-merged jackc/pgx/v5 v5.7.6 -> v5.9.2 bump (CVE-2026-41889, #4990) since it landed on this release line without its own CHANGELOG entry.

go mod why triage evidence

github.com/go-jose/go-jose/v4 — present (SPIFFE chain):

github.com/turbot/steampipe/v2/cmd
github.com/turbot/steampipe-plugin-sdk/v5/plugin
github.com/turbot/steampipe-plugin-sdk/v5/getter
github.com/hashicorp/go-getter
cloud.google.com/go/storage
google.golang.org/grpc/xds/googledirectpath
google.golang.org/grpc/internal/xds/bootstrap
google.golang.org/grpc/credentials/tls/certprovider
github.com/spiffe/go-spiffe/v2/bundle/spiffebundle
github.com/go-jose/go-jose/v4

go.opentelemetry.io/otel/sdk — present (telemetry chain):

github.com/turbot/steampipe/v2/pkg/initialisation
github.com/turbot/steampipe-plugin-sdk/v5/telemetry
go.opentelemetry.io/otel/sdk/resource
go.opentelemetry.io/otel/sdk

Nothing skipped — both target packages are in the graph.

Verification

  • GOTOOLCHAIN=auto go build ./... — clean (exit 0)
  • GOTOOLCHAIN=auto go test ./... — 21 packages pass (ok), 0 fail, 21 with no test files

Notes

@kaidaguerre
Bump go-jose/v4 + otel/sdk for CVEs; add v2.4.3 CHANGELOG
d6fb238 
- go-jose/go-jose/v4 v4.1.3 -> v4.1.4 (CVE-2026-34986)
- go.opentelemetry.io/otel/sdk v1.40.0 -> v1.43.0 (CVE-2026-24051, CVE-2026-39883)
- Add v2.4.3 CHANGELOG entry covering these plus the already-merged
  pgx/v5 v5.9.2 bump (CVE-2026-41889, #4990) on the v2.4.x line
@kaidaguerre kaidaguerre merged commit 7e7ee9b into v2.4.x May 19, 2026
29 checks passed
@kaidaguerre kaidaguerre deleted the release-prep-security-bumps branch May 19, 2026 11:24
@kaidaguerre kaidaguerre mentioned this pull request May 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SumitPopat SumitPopat SumitPopat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kaidaguerre @SumitPopat