You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The binaries for plugins v1.4.1 were built with Go 1.21.7, which has been found to have 1 HIGH CVE and 5 MEDIUM CVEs. A newer version of Go 1.21.9 or 1.22.2 can resolve these CVEs.
I think there is no need to change the code, the action code here:
Looks like in response to #1019, release artifacts for 1.4.1 were rebuilt (see #1019 (comment)) with a more recent version of Go (1.22.3), so the binaries should no longer be "affected" by these CVEs.
I personally don't think that mutating release artifacts is a good idea (see also #1038), as now there are 2 distinct versions of the "1.4.1" binaries out there. A lot of dependent build processes may rightfully assume that for a given tag, the binaries won't change. But it's done now...
So this issue can probably be closed given that the current binaries were built with Go 1.22.3.
The binaries for plugins v1.4.1 were built with Go 1.21.7, which has been found to have 1 HIGH CVE and 5 MEDIUM CVEs. A newer version of Go 1.21.9 or 1.22.2 can resolve these CVEs.
I think there is no need to change the code, the action code here:
plugins/.github/workflows/release.yaml
Line 19 in 670139c
will automatically use the Go with version v1.21.9 when a new build is triggered.
The text was updated successfully, but these errors were encountered: