Skip to content

Fix: downgrade to Go 1.24.1 for compatibility (AST-74554) #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cx-adar-zandberg merged 1 commit into from
Jan 8, 2026
Merged

Fix: downgrade to Go 1.24.1 for compatibility (AST-74554) #33

cx-adar-zandberg merged 1 commit into from
Jan 8, 2026

Conversation

@cx-adar-zandberg
Copy link
Contributor

@cx-adar-zandberg cx-adar-zandberg commented Jan 8, 2026

Summary

This PR downgrades the Go version requirement from 1.25.0 back to 1.24.1 for compatibility with downstream consumers (ast-cli).

Changes

  • Downgrade helm.sh/helm/v3 from v3.19.3 to v3.19.2
  • Downgrade k8s.io/* dependencies from v0.35.0 to v0.34.0
  • Keep Go 1.24.1 (k8s.io v0.35.0 requires Go 1.25)
  • Update VULNERABILITY_FIXES.md to correctly document CVE-2019-25210

CVE-2019-25210 Clarification

The previous PR incorrectly stated that upgrading to helm v3.19.3 fixed CVE-2019-25210. This is not accurate:

  • CVE-2019-25210 is a design decision, not a bug
  • It affects all versions of Helm v3
  • The Helm maintainers have marked this as WONTFIX
  • The vulnerability (showing secrets with --dry-run) is considered expected behavior

Security Fixes Retained

All critical CVE fixes remain in place:

CVE Package Status
CVE-2025-64329 containerd/v2 ✅ Fixed (v2.1.4 via replace)
CVE-2025-31133 runc ✅ Fixed (v1.3.3 via replace)
CVE-2025-52565 runc ✅ Fixed (v1.3.3 via replace)
CVE-2025-52881 runc ✅ Fixed (v1.3.3 via replace)
CVE-2019-25210 helm ⚠️ WONTFIX by upstream
CVE-2025-27144 go-jose v2 ⚠️ Awaiting upstream fix

Pull Request opened by Augment Code with guidance from the PR author

@Bucknot
Fix: downgrade to Go 1.24.1 for compatibility
6d51572 
- Downgrade helm.sh/helm/v3 from v3.19.3 to v3.19.2
- Downgrade k8s.io dependencies from v0.35.0 to v0.34.0
- Keep Go 1.24.1 (v0.35.0 requires Go 1.25)
- Document CVE-2019-25210 as WONTFIX (Helm design decision)
- All critical CVE fixes (containerd, runc) remain in place

AST-74554
@cx-shaked-karta
Copy link
Collaborator

cx-shaked-karta commented Jan 8, 2026

Logo
Checkmarx One – Scan Summary & Details1edf9fcc-6ce3-4091-8b74-b57e47f469ee

Great job! No new security vulnerabilities introduced in this pull request

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@cx-adar-zandberg cx-adar-zandberg merged commit b8cc823 into main Jan 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-dmitri-rivin cx-dmitri-rivin cx-dmitri-rivin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cx-adar-zandberg @cx-shaked-karta @cx-dmitri-rivin @Bucknot