fix(sec): upgrade golang.org/x/crypto to 0.17.0 #1832
Conversation
|
Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project. Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken. 💡 Shall we fix this?This will only take a few moments. First, clone your fork and checkout this branch using the git CLI. Next, set up your real name and email address:
Finally, run one of these commands to add the "Signed-off-by" line to your commits. If you only have one commit so far then run: Check that the message has been added properly by running "git log". |
|
Hi, this module should be updated to v0.18.0, not v0.17.0. It's already been done in OpenFaaS Standard, feel free to scan the image: ghcr.io/openfaasltd/gateway:0.4.22 We'll get this closed, OSS components are for community only, not commercial use so we'll get to this in due course ourselves. Thanks for your interest in the project. |
What happened?
There are 1 security vulnerabilities found in golang.org/x/crypto v0.14.0
What did I do?
Upgrade golang.org/x/crypto from v0.14.0 to 0.17.0 for vulnerability fix
What did you expect to happen?
Ideally, no insecure libs should be used.
How can we automate the detection of these types of issues?
By using the GitHub Actions configurations provided by murphysec, we can conduct automatic code security checks in our CI pipeline.
The specification of the pull request
PR Specification from OSCS