search

uniget-org / tools

Tool definitions for uniget
https://tools.uniget.dev
MIT License
3 stars 3 forks source link

chore(deps): update dependency gittuf/gittuf to v0.5.1 #5681

Closed uniget-bot closed 3 months ago

uniget-bot commented 3 months ago

This PR contains the following updates:

Package Update Change
gittuf/gittuf minor 0.4.0 -> 0.5.1

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

gittuf/gittuf (gittuf/gittuf) ### [`v0.5.1`](https://togithub.com/gittuf/gittuf/blob/HEAD/CHANGELOG.md#v051) [Compare Source](https://togithub.com/gittuf/gittuf/compare/v0.5.0...v0.5.1) - Updated release workflow to support GoReleaser v2 ### [`v0.5.0`](https://togithub.com/gittuf/gittuf/blob/HEAD/CHANGELOG.md#v050) [Compare Source](https://togithub.com/gittuf/gittuf/compare/v0.4.0...v0.5.0) - Added support for `ssh-keygen` based signer and verifier - Added support for overriding reference name when local and remote reference names differ - Added initial (alpha) implementation of git-remote-gittuf - Added command to display RSL - Added support for automatically skipping RSL entries that point to rebased commits - Updated policy verification pattern matching to use `fnmatch` - Updated to use Git binary for various operations on underlying repository - Updated various dependencies and CI workflows - Updated docs to make command snippets easier to copy - Removed extraneous fields from gittuf policy metadata - Removed `verify-commit` and `verify-tag` workflows in favor of `verify-ref` (BREAKING CHANGE) - Governance: added Patrick Zielinski and Neil Naveen as gittuf maintainers

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

github-actions[bot] commented 3 months ago

:mag: Vulnerabilities of ghcr.io/uniget-org/tools/gittuf:0.5.1

:package: Image Reference ghcr.io/uniget-org/tools/gittuf:0.5.1
digestsha256:8c68fca8b8af4ee2658e5ba022fa7aacd5cb6aaacfacd23a21de7c8601548d4d
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0 unspecified: 1
platformlinux/amd64
size9.2 MB
packages119
critical: 0 high: 0 medium: 0 low: 0 unspecified: 1stdlib 1.22.4 (golang) pkg:golang/stdlib@1.22.4
unspecified : CVE--2024--24791
Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
github-actions[bot] commented 3 months ago

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9781643529.

github-actions[bot] commented 3 months ago

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9781643529.