In #3754 we are updating dependencies that are vulnerable to CVEs or that import other modules that are vulnerable to CVEs.
goleveldb imports google.golang.org/protobuf at version < v1.33.0 because of its dependency on outdated versions of github.com/onsi/ginkgo and github.com/onsi/gomega.
protobuf < v1.33.0 is affected by CVE-2024-24786. Therefore, we want to update goleveldb dependencies so that it uses protobuf >= v.1.33.0.
Changes
This PR updates the goleveldb to use our fork importing protobuf's version to v1.34.1, which isn't vulnerable to CVE-2024-24786.
PR checklist
~- [ ] Tests written/updated~
[ ] Changelog entry added in .changelog (we use unclog to manage our changelog)
~- [ ] Updated relevant documentation (docs/ or spec/) and code comments~
Context
In #3754 we are updating dependencies that are vulnerable to CVEs or that import other modules that are vulnerable to CVEs.
goleveldb
importsgoogle.golang.org/protobuf
at version <v1.33.0
because of its dependency on outdated versions ofgithub.com/onsi/ginkgo
andgithub.com/onsi/gomega
.protobuf
<v1.33.0
is affected by CVE-2024-24786. Therefore, we want to updategoleveldb
dependencies so that it usesprotobuf
>=v.1.33.0
.Changes
This PR updates the
goleveldb
to use our fork importingprotobuf
's version tov1.34.1
, which isn't vulnerable to CVE-2024-24786.PR checklist
~- [ ] Tests written/updated~
.changelog
(we use unclog to manage our changelog) ~- [ ] Updated relevant documentation (docs/
orspec/
) and code comments~