Skip to content

[release/1.7] vendor: github.com/go-jose/go-jose/v3 v3.0.4#11619

Merged
AkihiroSuda merged 1 commit intocontainerd:release/1.7from
swagatbora90:1.7-update-go-jose
Mar 29, 2025
Merged

[release/1.7] vendor: github.com/go-jose/go-jose/v3 v3.0.4#11619
AkihiroSuda merged 1 commit intocontainerd:release/1.7from
swagatbora90:1.7-update-go-jose

Conversation

@swagatbora90
Copy link
Contributor

@swagatbora90 swagatbora90 commented Mar 28, 2025

Updates the indirect dependency of go-jose to v3.0.4.

This update is mainly to silence the scanners for CVE-2025-27144, although containerd itself is not affected.

go-jose/v3 is a dependency of github.com/containers/ocicrypt which is a dependency of github.com/containerd/imgcrypt. Directly updating imgcrypt also updates min go version to 1.23.0 and also moves to go-jose/v4, which seemed like a larger change than just updating the dependency directly.

@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Mar 28, 2025
@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 28, 2025

Hi @swagatbora90. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 28, 2025
@swagatbora90
vendor: github.com/go-jose/go-jose/v3 v3.0.4
52dd4dc 
Signed-off-by: Swagat Bora <sbora@amazon.com>
@swagatbora90
Copy link
Contributor Author

swagatbora90 commented Mar 28, 2025

/retest

@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 28, 2025

@swagatbora90: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@austinvazquez
Copy link
Member

austinvazquez commented Mar 28, 2025

/ok-to-test

@github-project-automation github-project-automation bot moved this from Needs Triage to Review In Progress in Pull Request Review Mar 29, 2025
@AkihiroSuda AkihiroSuda merged commit befa4ce into containerd:release/1.7 Mar 29, 2025
57 checks passed
@github-project-automation github-project-automation bot moved this from Review In Progress to Done in Pull Request Review Mar 29, 2025
@austinvazquez austinvazquez mentioned this pull request Jul 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henry118 henry118 henry118 approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@austinvazquez austinvazquez austinvazquez approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code ok-to-test size/S

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@swagatbora90 @k8s-ci-robot @austinvazquez @henry118 @AkihiroSuda