In #3754 we are updating dependencies that are vulnerable to CVEs or that import other modules that are vulnerable to CVEs.
goleveldb imports google.golang.org/protobuf at version < v1.33.0 because of its dependency on outdated versions of github.com/onsi/ginkgo and github.com/onsi/gomega.
protobuf < v1.33.0 is affected by CVE-2024-24786. Therefore, we want to update goleveldb dependencies so that it uses protobuf >= v.1.33.0.
Changes
This PR updates the goleveldb to use our fork importing protobuf's version to v1.34.1, which isn't vulnerable to CVE-2024-24786.
PR checklist
~- [ ] Tests written/updated~
[ ] Changelog entry added in .changelog (we use unclog to manage our changelog)
~- [ ] Updated relevant documentation (docs/ or spec/) and code comments~
Context
In #3754 we are updating dependencies that are vulnerable to CVEs or that import other modules that are vulnerable to CVEs.
goleveldbimportsgoogle.golang.org/protobufat version <v1.33.0because of its dependency on outdated versions ofgithub.com/onsi/ginkgoandgithub.com/onsi/gomega.protobuf<v1.33.0is affected by CVE-2024-24786. Therefore, we want to updategoleveldbdependencies so that it usesprotobuf>=v.1.33.0.Changes
This PR updates the
goleveldbto use our fork importingprotobuf's version tov1.34.1, which isn't vulnerable to CVE-2024-24786.PR checklist
~- [ ] Tests written/updated~
.changelog(we use unclog to manage our changelog) ~- [ ] Updated relevant documentation (docs/orspec/) and code comments~