Skip to content

Update containerd/continuity dependency #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mfridman merged 1 commit into from
Apr 21, 2022
Merged

Update containerd/continuity dependency #330

mfridman merged 1 commit into from
Apr 21, 2022

Conversation

@nadinelyab
Copy link
Contributor

@nadinelyab nadinelyab commented Apr 12, 2022

v0.2.2 of containerd/continuity has a dependency that contains a CVE (CVE-2020-26160 on github.com/dgrijalva/jwt-go). This pull requests updates the version of containerd/continuity to v0.3.0 which does not contain the vulnerable dependency.

@mfridman mfridman mentioned this pull request Apr 14, 2022
Merged
@mfridman
Copy link
Collaborator

mfridman commented Apr 15, 2022
edited
Loading

This indirect dependency was pulled in because of https://github.com/ory/dockertest.

I've submitted a patch upstream ory/dockertest#352 to update https://github.com/containerd/continuity to the latest version.

You should now be able to update the ory/dockertest dependency within goose. Do you want to update this PR?

@nadinelyab nadinelyab force-pushed the nelyabroudi/upgrade-containerd-continuity-dependency branch from bef4b0d to 4dfb286 Compare April 18, 2022 12:51
@nadinelyab
Copy link
Contributor Author

nadinelyab commented Apr 18, 2022

Thanks! Updated, let me know if that looks good.

@nadinelyab
Copy link
Contributor Author

nadinelyab commented Apr 20, 2022

Hi @mfridman
Any update on this?

@mfridman
Copy link
Collaborator

mfridman commented Apr 21, 2022

Sorry, got a bit swamped recently.

@nadinelyab Since upstream hasn't pushed a release yet, can you do:

go get github.com/ory/dockertest/v3@e38b9742dc7ddbc2e7f3079103a194b890d4ab85
go mod tidy
go mod verify

That hash is the current latest commit on `v3 branch. That should fix it up.

@nadinelyab nadinelyab force-pushed the nelyabroudi/upgrade-containerd-continuity-dependency branch from 4dfb286 to 5ff1045 Compare April 21, 2022 23:10
@nadinelyab
Copy link
Contributor Author

nadinelyab commented Apr 21, 2022

Ok thanks hopefully this is alright

@mfridman
Copy link
Collaborator

mfridman commented Apr 21, 2022
edited
Loading

Awesome, thank you for your contribution @nadinelyab.

Sorry for the back and forth, whenever someone submits a change to go.mod I always pull the PR and and verify standard module commands produce no changes. Such as go mod tidy and all deps are verified with go mod verify. We should probably add a check for this in CI 🤔

@mfridman mfridman merged commit 6fc031a into pressly:master Apr 21, 2022
@VojtechVitek
Copy link
Collaborator

VojtechVitek commented Apr 22, 2022

👍 Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mfridman mfridman mfridman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nadinelyab @mfridman @VojtechVitek