Skip to content

Commit d45ad41

Browse files
authored
Dependency bumps: - github.com/go-jose/go-jose/v4: v4.0.5 → v4.1.4 (CVE-2026-34986, JWE decryption panic) - github.com/tektoncd/pipeline: v1.0.0 → v1.0.1 (CVE-2026-33211, git resolver path traversal) - github.com/sigstore/cosign/v2: v2.5.0 → v2.6.2 (CVE-2025-66506, excessive memory allocation) - google.golang.org/grpc: v1.71.1 → v1.80.0 (CVE-2026-33186, authz bypass via missing leading slash) Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
1 parent 1bf4411 commit d45ad41

4,420 files changed

Lines changed: 365529 additions & 238137 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@ jobs:
4242
# If no files are changed at all, then `grep -v` will match even though no change outputs
4343
# should be true. Skipping output on an empty set of changes eliminates the false positive
4444
if [[ -n "${CHANGED_FILES}" ]]; then
45-
NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Eqv '\.md$' && echo 'true' || echo 'false')
46-
YAML=$(echo "${CHANGED_FILES}" | grep -Eq '\.ya?ml$' && echo 'true' || echo 'false')
45+
NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Ev '\.md$' > /dev/null 2>&1 && echo 'true' || echo 'false')
46+
YAML=$(echo "${CHANGED_FILES}" | grep -E '\.ya?ml$' > /dev/null 2>&1 && echo 'true' || echo 'false')
4747
echo "non-docs=${NON_DOCS}" | tee -a $GITHUB_OUTPUT
4848
echo "yaml=${YAML}" | tee -a $GITHUB_OUTPUT
4949
fi

go.mod

Lines changed: 179 additions & 164 deletions
Large diffs are not rendered by default.

go.sum

Lines changed: 411 additions & 420 deletions
Large diffs are not rendered by default.

pkg/chains/signing/x509/x509.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -202,7 +202,7 @@ func cosignSigner(ctx context.Context, secretPath string, privateKey []byte) (*S
202202
if err != nil {
203203
return nil, errors.Wrap(err, "reading cosign.password file")
204204
}
205-
signer, err := cosign.LoadPrivateKey(privateKey, password)
205+
signer, err := cosign.LoadPrivateKey(privateKey, password, nil)
206206
if err != nil {
207207
return nil, err
208208
}

pkg/chains/signing/x509/x509_test.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,10 @@ const ed25519Priv = `-----BEGIN PRIVATE KEY-----
4949
MC4CAQAwBQYDK2VwBCIEIGQn0bJwshjwuVdnd/FylMk3Gvb89aGgH49bQpgzCY0n
5050
-----END PRIVATE KEY-----`
5151

52-
// npx jwtgen -a HS256 -s "my-secret" -c "iss=user123" -e 3600
53-
const token = `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2Nzc1NjAyMTgsImV4cCI6MTY3NzU2MzgxOCwiaXNzIjoidXNlcjEyMyJ9.c-sDgCyuZA6VaIGl7Y3-9XxttW1PUkBeNBLE9gCKG8s`
52+
// Generated with RS256 algorithm (required for cosign v2.6.0+)
53+
// openssl genrsa -out private.pem 2048
54+
// python3 -c "import jwt; import time; private_key = open('/tmp/private.pem').read(); payload = {'iat': int(time.time()), 'exp': int(time.time()) + 3600 * 24 * 365 * 10, 'iss': 'user123'}; print(jwt.encode(payload, private_key, algorithm='RS256'))"
55+
const token = `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjIzMTIzOTQsImV4cCI6MjA3NzY3MjM5NCwiaXNzIjoidXNlcjEyMyJ9.Adm27mf955gZA2pcWLqF4LLrqzFbXYsdYNg1sScF9MbyeuE-4eVpqV91Rk-iRwwIrtKuOVkEDdulrAqeuIhMxGB7jNXWXxf6sVEHV57_QgB0KR_z-JVxEbTZBu6nIVBwDxmVFGQFVMtZbqsyX8J4F_jp0pSInFPqYQbS9xAGhvOnni_owp325Siev2Z-kWsnTTFOTi0C9g9BApPxXQEE17COYdXjxsBCJQQttb1Ww7IQLCf59wU5ZpNM7npzxvKuOBT1kmHPp1ZDCNxfA_a6JMIB4NQAzYV0ULRbXNftxwglFoyitWge-SyxohnTVfV1gplE8qi6kR2CQJORBMvx6w`
5456

5557
func TestCreateSignerFulcioEnabledDefaultTokenFileMissing(t *testing.T) {
5658
ctx := logtesting.TestContextWithLogger(t)

test/clients.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -237,7 +237,7 @@ func setupSecret(ctx context.Context, t *testing.T, c kubernetes.Interface, opts
237237
}
238238
s.StringData[p] = string(b)
239239
}
240-
cosignPriv, err := cosign.LoadPrivateKey([]byte(s.StringData["cosign.key"]), []byte(s.StringData["cosign.password"]))
240+
cosignPriv, err := cosign.LoadPrivateKey([]byte(s.StringData["cosign.key"]), []byte(s.StringData["cosign.password"]), nil)
241241
if err != nil {
242242
t.Fatal(err)
243243
}

vendor/cel.dev/expr/BUILD.bazel

Lines changed: 0 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/cel.dev/expr/MODULE.bazel

Lines changed: 6 additions & 24 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)