CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0

kubernetes-csi / external-resizer

Sidecar container that watches Kubernetes PersistentVolumeClaims objects and triggers controller side expansion operation against a CSI endpoint

Apache License 2.0

119 stars 120 forks source link

CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 #377

Closed dobsonj closed 3 months ago

dobsonj commented 3 months ago

What this PR does / why we need it:

Bump google.golang.org/protobuf@v1.33.0 and github.com/golang/protobuf@v1.5.4 to address CVE-2024-24786.

https://pkg.go.dev/vuln/GO-2024-2611 https://github.com/advisories/GHSA-8r3f-844c-mc37

Which issue(s) this PR fixes:

/kind bug

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Update google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

k8s-ci-robot commented 3 months ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

RomanBednar commented 3 months ago

/lgtm

jsafrane commented 3 months ago

/approve

k8s-ci-robot commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj, jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-csi/external-resizer/blob/master/OWNERS)~~ [jsafrane] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment