Closed twz123 closed 2 years ago
I guess it isn't public, but I had just dismissed a dependabot alert for the ORAS CVE because this code doesn't use any of the stores available from the ORAS project codebase.
However, I don't have anything particular against upgrading to a more recent ORAS release; could you sign your commit and re-push to pass CI? Thanks!
Yeah I didn't really suspect any real issue, but sometimes it's easier to silence the security gizmos like this. Added my sign-off...
See https://github.com/advisories/GHSA-g5v4-5x39-vwhx for details.