Update github.com/deislabs/oras in order to address CVE

estesp / manifest-tool

Command line tool to create and query container image manifest list/indexes

Apache License 2.0

742 stars 93 forks source link

Update github.com/deislabs/oras in order to address CVE #151

Closed twz123 closed 2 years ago

twz123 commented 2 years ago

See https://github.com/advisories/GHSA-g5v4-5x39-vwhx for details.

estesp commented 2 years ago

I guess it isn't public, but I had just dismissed a dependabot alert for the ORAS CVE because this code doesn't use any of the stores available from the ORAS project codebase.

However, I don't have anything particular against upgrading to a more recent ORAS release; could you sign your commit and re-push to pass CI? Thanks!

twz123 commented 2 years ago

Yeah I didn't really suspect any real issue, but sometimes it's easier to silence the security gizmos like this. Added my sign-off...