Skip to content

chore(cve): Fix CVE in the Keda autoscaler library #7066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vtaskow merged 12 commits into from
Jan 5, 2026
Merged

chore(cve): Fix CVE in the Keda autoscaler library #7066

vtaskow merged 12 commits into from
Jan 5, 2026

Conversation

@vtaskow
Copy link
Contributor

@vtaskow vtaskow commented Jan 5, 2026

Why

Motivation

A new CVE appeared at the end of December: GHSA-c4p6-qg4m-9jmr. This PR resolves it and Core 1 now works with Keda 2.17.x to 2.18.3(latest).

What

Summary of changes

  • Bumped the Keda dependency to 2.17.3 in the operator
  • Bumped k8s-related dependencies in both the operator and executor

Checklist

  • Added/updated unit tests
  • Added/updated documentation
  • Checked for typos in variable names, comments, etc.
  • Added licences for new files

Testing

  • Ran E2E tests - sequential and notebooks

@vtaskow vtaskow requested a review from tyndria January 5, 2026 11:26
@vtaskow
Copy link
Contributor Author

vtaskow commented Jan 5, 2026

I am going to merge this PR now. Will fix the CVEs for the Python images in the next.

@vtaskow vtaskow merged commit 782cc4d into master Jan 5, 2026
26 of 27 checks passed
@vtaskow vtaskow deleted the fix-cve-keda-autoscaler branch January 5, 2026 12:51
@vtaskow vtaskow mentioned this pull request Jan 5, 2026
Merged
vtaskow added a commit that referenced this pull request Jan 5, 2026
@vtaskow
chore(cve): Fix CVE in the Keda autoscaler library (#7066)
12ff887 
* Upgrade keda from 2.7.1 to 2.12.0

* Update Keda to 2.13.0

* Upgrade Keda to 2.14.0

* Upgrade to Keda 2.15.0

* Upgrade to Keda 2.17.3

* Update transitive dep expr-lang/expr coming from Keda to fix CVE

* Add comment in go.mod for cve

* Bump k8s libs in executor to resolve go.mod after the changes in the operator

* Add replace for expr-lang/expr in go.mod in executor as well

* Update licenses for the operator. Remove additional license info for go-jose(from previous version of keda), now resolving properly

* Update executor licenses; entry for JohnCGriffin/overflow had to be manually copy-pasted into the license.txt

* Update tarball licenses in the operator and executor Dockerfiles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tyndria tyndria tyndria approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vtaskow @tyndria