Go Related CVEs Raised During Trivy Scanning Resolution Timeline by Upgrading Go

[isaac-mercieca]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [x] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [x] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Will the Go version of the project be updated to latest 1.22.3 to address CVEs such as https://avd.aquasec.com/nvd/2023/cve-2023-45289/. I see Go on version 1.21 in the latest Hydra version v2.2.0. CVEs like this one are being raised during Trivy scanning on the Hydra binaries present in the docker image. Would this be in the next release and would you happen to know the timeline for that release?

Reproducing the bug

Run Trivy scan on Hydra image.

Relevant log output

No response

Relevant configuration

No response

Version

2.2.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Docker

Additional Context

None

[mig5]

Any movement on this?

I feel like it's not enough to just cut a Docker image release when you release new versions of Hydra.. if it bundles 3rd party dependencies that have their own security vulnerabilities, it'd be great if Ory made routine new Docker images even if the Hydra version itself isn't changing. Other open source projects often work this way, in the containerized world we now live in.

I appreciate it's added burden for the maintainers, but it's good for the community :)