Open isaac-mercieca opened 4 months ago
Any movement on this?
I feel like it's not enough to just cut a Docker image release when you release new versions of Hydra.. if it bundles 3rd party dependencies that have their own security vulnerabilities, it'd be great if Ory made routine new Docker images even if the Hydra version itself isn't changing. Other open source projects often work this way, in the containerized world we now live in.
I appreciate it's added burden for the maintainers, but it's good for the community :)
Preflight checklist
Ory Network Project
No response
Describe the bug
Will the Go version of the project be updated to latest 1.22.3 to address CVEs such as https://avd.aquasec.com/nvd/2023/cve-2023-45289/. I see Go on version 1.21 in the latest Hydra version v2.2.0. CVEs like this one are being raised during Trivy scanning on the Hydra binaries present in the docker image. Would this be in the next release and would you happen to know the timeline for that release?
Reproducing the bug
Run Trivy scan on Hydra image.
Relevant log output
Relevant configuration
Version
2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
Docker
Additional Context
None