CVE-2023-39533 and other vulnerabilities in go 1.20.4. can you upgrade to go 1.20.7?

chartmuseum / helm-push

Helm plugin to push chart package to ChartMuseum

Apache License 2.0

670 stars 170 forks source link

CVE-2023-39533 and other vulnerabilities in go 1.20.4. can you upgrade to go 1.20.7? #199

Closed niole closed 8 months ago

niole commented 11 months ago

Hi there, we use helm-push at the company where I work. This library depends on a go 1.20.4, which has known vulnerabilities. Is it possible to upgrade to go 1.20.7? I will take a look and see what it takes to upgrade.

niole commented 11 months ago

@nerdeveloper wondering if you can take a look?

niole commented 10 months ago

@czhujer @scbizu @nerdeveloper any thoughts on this? This would be huge for my company, which puts a big emphasis on security.

czhujer commented 10 months ago

yes, we should bump version fo golang :)

also bump helm package to 3.13 will good.

Maybe we should switch also yaml package check this: https://github.com/ghodss/yaml/issues/81

niole commented 10 months ago

@czhujer thanks so much!!!

JohnniDi commented 9 months ago

Yes, it would be greatly appreciated if all the open update PRs from dependaBot would make into a release soon.