Request to release 3.18.1

Question

Request to release 3.18.1

ianling opened this issue 6 months ago · comments

We have some software that depends on goose. An automated vulnerability scanner we are required to run is picking up goose's dependency on runc v.1.10.0 and the fact that runc 1.10.0 has a CVE assigned to it (CVE-2024-21626)

It looks like you have already updated runc in goose's master branch, but there hasn't been a new release. 81fb552

Would it be possible to tag 3.18.1 so we can pull in the runc update so our scanner will stop complaining?

Michael Fridman · Answer 1 · Sat Mar 09 2024 04:01:47 GMT+0800 (China Standard Time)

Sure, I'll do it tonight 👍

Michael Fridman · Answer 2 · Sat Mar 09 2024 07:57:01 GMT+0800 (China Standard Time)

Thinking about this more. This dependency isn't even part of the core goose library, and only used for integration tests.

I wonder if I can reshuffle things to cleanup go.mod so this doesn't happen again.

I've seen a lot of CVE due to this dependency across multiple Go projects.

Michael Fridman · Answer 3 · Mon Mar 11 2024 22:27:52 GMT+0800 (China Standard Time)

To resolve your immediate issue, I tagged https://github.com/pressly/goose/releases/tag/v3.19.1.

Going to close those for now, and continue to refactor the integration tests separately.

Michael Fridman · Answer 4 · Thu Mar 14 2024 21:40:53 GMT+0800 (China Standard Time)

Thinking about this more. This dependency isn't even part of the core goose library, and only used for integration tests.

I wonder if I can reshuffle things to cleanup go.mod so this doesn't happen again.

For brevity, I ended up ripping out the docker-related bits and shoving them into a separate Go module. I think this turned out a lot cleaner for both consumers and maintainers.

#713