Skip to content

Dependabot version bumps #649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 15, 2025
Merged

Dependabot version bumps #649

merged 7 commits into from
Aug 15, 2025

Conversation

@burythehammer
Copy link
Collaborator

@burythehammer burythehammer commented Aug 15, 2025

A number of vulnerabilities raised from dependabot so merging these all together and pushing at once

@burythehammer burythehammer self-assigned this Aug 15, 2025
@burythehammer burythehammer changed the base branch from main to develop August 15, 2025 08:56
@kaplanben
Copy link

kaplanben commented Aug 15, 2025

Logo
Checkmarx One – Scan Summary & Details7b8982c2-ce17-433b-b4aa-18176eaf2eb2

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CVE-2025-27144 Go-github.com/go-jose/go-jose/v4-v4.0.4
detailsRecommended version: v4.0.5
Description: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryptio...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: UUXjOtljtqneYV88AB4dwmiUjOeNiQCqcXfNjfSbvjM%3D
Vulnerable Package
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 43
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: QOmNDaPI10zdq5A%2B7Q3SMmedFpM%3D
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 54
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: QzkOUP3GKW7c506ivbxv1%2FaH86s%3D
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 68
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: l617fWgphdym8p5%2BEKEm4oEyea4%3D
Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
CRITICAL Cxdbd5c98e-4380 Go-github.com/cloudflare/circl-v1.3.7
HIGH CVE-2024-45339 Go-github.com/golang/glog-v1.2.2
HIGH CVE-2025-22869 Go-golang.org/x/crypto-v0.33.0
MEDIUM CVE-2025-22872 Go-golang.org/x/net-v0.35.0
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 42
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 53
LOW Unpinned Actions Full Length Commit SHA /codeql-analysis.yml: 67

@burythehammer burythehammer merged commit 092fbfa into develop Aug 15, 2025
3 checks passed
@burythehammer burythehammer deleted the chore/dependabot-version-bumps branch August 20, 2025 09:25
burythehammer added a commit that referenced this pull request Nov 10, 2025
@burythehammer
Merge pull request #649 from RedisLabs/chore/dependabot-version-bumps
2358232 
Dependabot version bumps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@burythehammer burythehammer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@burythehammer @kaplanben