Skip to content

build(deps): bump the all-modules group in /sda-validator/orchestrator with 2 updates#2302

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/sda-validator/orchestrator/all-modules-f80ec1a409
Open

build(deps): bump the all-modules group in /sda-validator/orchestrator with 2 updates#2302
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/sda-validator/orchestrator/all-modules-f80ec1a409

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 6, 2026

Bumps the all-modules group in /sda-validator/orchestrator with 2 updates: github.com/neicnordic/crypt4gh and google.golang.org/grpc.

Updates github.com/neicnordic/crypt4gh from 1.14.2 to 1.15.0

Release notes

Sourced from github.com/neicnordic/crypt4gh's releases.

v1.15.0

What's Changed

Full Changelog: neicnordic/crypt4gh@v1.14.2...v1.15.0

Commits

Updates google.golang.org/grpc from 1.79.1 to 1.79.2

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.2

Bug Fixes

  • stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the all-modules group
5e9f508 
Bumps the all-modules group in /sda-validator/orchestrator with 2 updates: [github.com/neicnordic/crypt4gh](https://github.com/neicnordic/crypt4gh) and [google.golang.org/grpc](https://github.com/grpc/grpc-go).


Updates `github.com/neicnordic/crypt4gh` from 1.14.2 to 1.15.0
- [Release notes](https://github.com/neicnordic/crypt4gh/releases)
- [Commits](neicnordic/crypt4gh@v1.14.2...v1.15.0)

Updates `google.golang.org/grpc` from 1.79.1 to 1.79.2
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.79.1...v1.79.2)

---
updated-dependencies:
- dependency-name: github.com/neicnordic/crypt4gh
  dependency-version: 1.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-modules
- dependency-name: google.golang.org/grpc
  dependency-version: 1.79.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 6, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 6, 2026 08:40
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 6, 2026
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 6, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@github-actions
Copy link

github-actions bot commented Mar 6, 2026

🔍 Trivy Scan - Validator Orchestrator 🔍

Target ghcr.io/neicnordic/sensitive-data-archive:PR2302-validator-orchestrator (debian 12.13)

No Vulnerabilities found

Target bin/apptainer

Vulnerabilities (37)

Package ID Severity Installed Version Fixed Version Title
github.com/cloudflare/circl CVE-2025-8556 LOW v1.3.7 1.6.1 github.com/cloudflare/circl: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
github.com/cloudflare/circl CVE-2026-1229 LOW v1.3.7 1.6.3 CIRCL has an incorrect calculation in secp384r1 CombinedMult
github.com/docker/cli CVE-2025-15558 HIGH v27.5.1+incompatible 29.2.0 docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries
github.com/docker/docker CVE-2025-54410 LOW v27.5.1+incompatible 28.0.0 github.com/moby/moby: Moby's Firewalld reload removes bridge network isolation
github.com/go-jose/go-jose/v4 CVE-2025-27144 MEDIUM v4.0.4 4.0.5 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
github.com/sigstore/fulcio CVE-2025-66506 HIGH v1.6.4 1.8.3 github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token
github.com/sigstore/fulcio CVE-2026-22772 MEDIUM v1.6.4 1.8.5 fulcio: Fulcio: Server-Side Request Forgery (SSRF) via unanchored regex in MetaIssuer URL validation
github.com/sigstore/rekor CVE-2026-23831 MEDIUM v1.3.6 1.5.0 github.com/sigstore/rekor: Rekor denial of service
github.com/sigstore/rekor CVE-2026-24117 MEDIUM v1.3.6 1.5.0 github.com/sigstore/rekor: Rekor Server-Side Request Forgery (SSRF)
github.com/sigstore/sigstore CVE-2026-24137 MEDIUM v1.8.14 1.10.4 github.com/sigstore/sigstore: sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
golang.org/x/crypto CVE-2025-22869 HIGH v0.33.0 0.35.0 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
golang.org/x/crypto CVE-2025-47914 MEDIUM v0.33.0 0.45.0 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
golang.org/x/crypto CVE-2025-58181 MEDIUM v0.33.0 0.45.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
golang.org/x/net CVE-2025-22870 MEDIUM v0.33.0 0.36.0 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
golang.org/x/net CVE-2025-22872 MEDIUM v0.33.0 0.38.0 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
stdlib CVE-2025-68121 CRITICAL v1.23.6 1.24.13, 1.25.7, 1.26.0-rc.3 crypto/tls: Unexpected session resumption in crypto/tls
stdlib CVE-2025-47907 HIGH v1.23.6 1.23.12, 1.24.6 database/sql: Postgres Scan Race Condition
stdlib CVE-2025-58183 HIGH v1.23.6 1.24.8, 1.25.2 golang: archive/tar: Unbounded allocation when parsing GNU sparse map
stdlib CVE-2025-61726 HIGH v1.23.6 1.24.12, 1.25.6 golang: net/url: Memory exhaustion in query parameter parsing in net/url
stdlib CVE-2025-61728 HIGH v1.23.6 1.24.12, 1.25.6 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
stdlib CVE-2025-61729 HIGH v1.23.6 1.24.11, 1.25.5 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
stdlib CVE-2025-61730 HIGH v1.23.6 1.24.12, 1.25.6 During the TLS 1.3 handshake if multiple messages are sent in records ...
stdlib CVE-2025-0913 MEDIUM v1.23.6 1.23.10, 1.24.4 Inconsistent handling of O_CREATE
stdlib CVE-2025-22871 MEDIUM v1.23.6 1.23.8, 1.24.2 net/http: Request smuggling due to acceptance of invalid chunked data in net/http
stdlib CVE-2025-22873 MEDIUM v1.23.6 1.23.9, 1.24.3 os: os: Information disclosure via path traversal using specially crafted filenames
stdlib CVE-2025-4673 MEDIUM v1.23.6 1.23.10, 1.24.4 net/http: Sensitive headers not cleared on cross-origin redirect in net/http
stdlib CVE-2025-47906 MEDIUM v1.23.6 1.23.12, 1.24.6 os/exec: Unexpected paths returned from LookPath in os/exec
stdlib CVE-2025-47912 MEDIUM v1.23.6 1.24.8, 1.25.2 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
stdlib CVE-2025-58185 MEDIUM v1.23.6 1.24.8, 1.25.2 encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1
stdlib CVE-2025-58186 MEDIUM v1.23.6 1.24.8, 1.25.2 golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
stdlib CVE-2025-58187 MEDIUM v1.23.6 1.24.9, 1.25.3 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
stdlib CVE-2025-58188 MEDIUM v1.23.6 1.24.8, 1.25.2 crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
stdlib CVE-2025-58189 MEDIUM v1.23.6 1.24.8, 1.25.2 crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
stdlib CVE-2025-61723 MEDIUM v1.23.6 1.24.8, 1.25.2 encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
stdlib CVE-2025-61724 MEDIUM v1.23.6 1.24.8, 1.25.2 net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto
stdlib CVE-2025-61725 MEDIUM v1.23.6 1.24.8, 1.25.2 net/mail: Excessive CPU consumption in ParseAddress in net/mail
stdlib CVE-2025-61727 MEDIUM v1.23.6 1.24.11, 1.25.5 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

Target bin/grpc_health_probe

No Vulnerabilities found

Target libexec/apptainer/bin/starter

Vulnerabilities (32)

Package ID Severity Installed Version Fixed Version Title
github.com/cloudflare/circl CVE-2025-8556 LOW v1.3.7 1.6.1 github.com/cloudflare/circl: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
github.com/cloudflare/circl CVE-2026-1229 LOW v1.3.7 1.6.3 CIRCL has an incorrect calculation in secp384r1 CombinedMult
github.com/docker/cli CVE-2025-15558 HIGH v27.5.1+incompatible 29.2.0 docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries
github.com/go-jose/go-jose/v4 CVE-2025-27144 MEDIUM v4.0.4 4.0.5 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
github.com/sigstore/sigstore CVE-2026-24137 MEDIUM v1.8.14 1.10.4 github.com/sigstore/sigstore: sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
golang.org/x/crypto CVE-2025-22869 HIGH v0.33.0 0.35.0 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
golang.org/x/crypto CVE-2025-47914 MEDIUM v0.33.0 0.45.0 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
golang.org/x/crypto CVE-2025-58181 MEDIUM v0.33.0 0.45.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
golang.org/x/net CVE-2025-22870 MEDIUM v0.33.0 0.36.0 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
golang.org/x/net CVE-2025-22872 MEDIUM v0.33.0 0.38.0 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
stdlib CVE-2025-68121 CRITICAL v1.23.6 1.24.13, 1.25.7, 1.26.0-rc.3 crypto/tls: Unexpected session resumption in crypto/tls
stdlib CVE-2025-47907 HIGH v1.23.6 1.23.12, 1.24.6 database/sql: Postgres Scan Race Condition
stdlib CVE-2025-58183 HIGH v1.23.6 1.24.8, 1.25.2 golang: archive/tar: Unbounded allocation when parsing GNU sparse map
stdlib CVE-2025-61726 HIGH v1.23.6 1.24.12, 1.25.6 golang: net/url: Memory exhaustion in query parameter parsing in net/url
stdlib CVE-2025-61728 HIGH v1.23.6 1.24.12, 1.25.6 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
stdlib CVE-2025-61729 HIGH v1.23.6 1.24.11, 1.25.5 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
stdlib CVE-2025-61730 HIGH v1.23.6 1.24.12, 1.25.6 During the TLS 1.3 handshake if multiple messages are sent in records ...
stdlib CVE-2025-0913 MEDIUM v1.23.6 1.23.10, 1.24.4 Inconsistent handling of O_CREATE
stdlib CVE-2025-22871 MEDIUM v1.23.6 1.23.8, 1.24.2 net/http: Request smuggling due to acceptance of invalid chunked data in net/http
stdlib CVE-2025-22873 MEDIUM v1.23.6 1.23.9, 1.24.3 os: os: Information disclosure via path traversal using specially crafted filenames
stdlib CVE-2025-4673 MEDIUM v1.23.6 1.23.10, 1.24.4 net/http: Sensitive headers not cleared on cross-origin redirect in net/http
stdlib CVE-2025-47906 MEDIUM v1.23.6 1.23.12, 1.24.6 os/exec: Unexpected paths returned from LookPath in os/exec
stdlib CVE-2025-47912 MEDIUM v1.23.6 1.24.8, 1.25.2 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
stdlib CVE-2025-58185 MEDIUM v1.23.6 1.24.8, 1.25.2 encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1
stdlib CVE-2025-58186 MEDIUM v1.23.6 1.24.8, 1.25.2 golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
stdlib CVE-2025-58187 MEDIUM v1.23.6 1.24.9, 1.25.3 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
stdlib CVE-2025-58188 MEDIUM v1.23.6 1.24.8, 1.25.2 crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
stdlib CVE-2025-58189 MEDIUM v1.23.6 1.24.8, 1.25.2 crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
stdlib CVE-2025-61723 MEDIUM v1.23.6 1.24.8, 1.25.2 encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
stdlib CVE-2025-61724 MEDIUM v1.23.6 1.24.8, 1.25.2 net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto
stdlib CVE-2025-61725 MEDIUM v1.23.6 1.24.8, 1.25.2 net/mail: Excessive CPU consumption in ParseAddress in net/mail
stdlib CVE-2025-61727 MEDIUM v1.23.6 1.24.11, 1.25.5 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

Target usr/bin/sda-validator-orchestrator

No Vulnerabilities found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KarlG-nbis KarlG-nbis KarlG-nbis approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KarlG-nbis