Update a few dependencies (!4700) · Merge requests · GitLab.org / gitlab-runner

Axel von Bertoldi requested to merge avonbertoldi/37440/update-go-jose into main Mar 29, 2024

Update github.com/hashicorp/vault/api
What we actually want to do is update gopkg.in/square/go-jose.v2 because it is subject to CVE-2024-28180. It is pulled in by github.com/hashicorp/vault/api though:

> go mod why gopkg.in/square/go-jose.v2
gitlab.com/gitlab-org/gitlab-runner/helpers/vault
github.com/hashicorp/vault/api
gopkg.in/square/go-jose.v2/jwt
gopkg.in/square/go-jose.v2

So to update go-josh we need to update hashicorp/vault.
Note that gopkg.in/square/go-jose.v2 is orphaned and has been replaced with github.com/go-jose/go-jose/v3.

Update github.com/docker/docker
The previous version was subject to CVE-2024-24557.
Update google.golang.org/protobuf
The previous version was subject to CVE-2024-24786.

Fixes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37440+

Edited Mar 29, 2024 by Axel von Bertoldi

Update a few dependencies

Merge request reports