Skip to content

fix(security): remediate CVE vulnerabilities#137

Merged
ulucinar merged 1 commit intorelease-1.1from
fix/cve-remediation-release-1.1-20260417-161304
Apr 17, 2026
Merged

fix(security): remediate CVE vulnerabilities#137
ulucinar merged 1 commit intorelease-1.1from
fix/cve-remediation-release-1.1-20260417-161304

Conversation

@upbound-bot
Copy link
Copy Markdown

@upbound-bot upbound-bot commented Apr 17, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
GHSA-78h2-9frx-2jm8 High github.com/go-jose/go-jose/v4 v4.1.4
GHSA-hfvc-g4fc-pqhx High go.opentelemetry.io/otel/sdk v1.43.0
GHSA-xmrv-pmrh-hhx2 Medium github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8
GHSA-xmrv-pmrh-hhx2 Medium github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3

Changes Made

  • Updated github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
  • Updated go.opentelemetry.io/otel/sdk from v1.42.0 to v1.43.0
  • Updated github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from v1.7.7 to v1.7.8
  • Updated github.com/aws/aws-sdk-go-v2/service/s3 from v1.97.1 to v1.97.3
  • Ran go mod tidy to update go.sum

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
11a723f 
- Update github.com/go-jose/go-jose/v4 to v4.1.4 (fixes GHSA-78h2-9frx-2jm8)
- Update go.opentelemetry.io/otel/sdk to v1.43.0 (fixes GHSA-hfvc-g4fc-pqhx)
- Update github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8 (fixes GHSA-xmrv-pmrh-hhx2)
- Update github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 (fixes GHSA-xmrv-pmrh-hhx2)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
Copy link
Copy Markdown
Contributor

ulucinar commented Apr 17, 2026

/test-examples="examples/cluster/workspace-inline-aws.yaml"

@ulucinar ulucinar merged commit 24d3ad9 into release-1.1 Apr 17, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@erhancagirici erhancagirici Awaiting requested review from erhancagirici erhancagirici is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@upbound-bot @ulucinar