dep: update go-autorest (and indirect dependency on vulnerable jwt-go) (#5660) - Githubissues

pingcap / tidb-operator

TiDB operator creates and manages TiDB clusters running in Kubernetes.

https://docs.pingcap.com/tidb-in-kubernetes/

Apache License 2.0

1.2k stars 490 forks source link

dep: update go-autorest (and indirect dependency on vulnerable jwt-go) (#5660) #5661

Closed ti-chi-bot closed 3 weeks ago

ti-chi-bot commented 3 weeks ago

This is an automated cherry-pick of #5660

What problem does this PR solve?

Update Azure/go-autorest to v0.5.13 from v0.5.2.

This in turn solves the use of the archived 'dgrijalva/jwt-go' in favour of 'golang-jwt/jwt' which resolves some vulnerabilities.

What is changed and how does it work?

Change in upstream code dependency to latest, resolving CVE in dgrijalva/jwt-go (archived) in favour of golang-jwt/jwt

Code changes

[ ] Has Go code change
[ ] Has CI related scripts change

Tests

[ ] Unit test
[ ] E2E test
[ ] Manual test
[x] No code

Side effects

[ ] Breaking backward compatibility
[ ] Other side effects:

Related changes

[ ] Need to cherry-pick to the release branch
[ ] Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

NONE

ti-chi-bot[bot] commented 3 weeks ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign z2665 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/pingcap/tidb-operator/blob/release-1.6/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment