From 8fc927a6a7344e5fb29f69751a64ead928eff6f4 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Thu, 12 Dec 2024 22:51:57 +0000
Subject: [PATCH 001/211] libreoffice-24.8/24.8.4.2 package update
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
libreoffice-24.8.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libreoffice-24.8.yaml b/libreoffice-24.8.yaml
index df4583cc69e..3a3853ef225 100644
--- a/libreoffice-24.8.yaml
+++ b/libreoffice-24.8.yaml
@@ -1,6 +1,6 @@
package:
name: libreoffice-24.8
- version: 24.8.4.1
+ version: 24.8.4.2
epoch: 0
description:
# https://www.libreoffice.org/about-us/licenses
@@ -101,7 +101,7 @@ pipeline:
with:
repository: https://github.com/LibreOffice/core
tag: libreoffice-${{package.version}}
- expected-commit: 1be9007f5d86a3741c366527d13e2970cbeef057
+ expected-commit: bb3cfa12c7b1bf994ecc5649a80400d06cd71002
# patch rather than cherry-pick. The git fetch of main takes multiple minutes.
- uses: patch
From f917ac29c1ae593563b2776c10e52ed2b09124f1 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Thu, 12 Dec 2024 17:52:00 +0000
Subject: [PATCH 002/211] newrelic-nri-statsd/v2.10.0 package update
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
newrelic-nri-statsd.yaml | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/newrelic-nri-statsd.yaml b/newrelic-nri-statsd.yaml
index a74e6f75ad1..6d30bce9ff6 100644
--- a/newrelic-nri-statsd.yaml
+++ b/newrelic-nri-statsd.yaml
@@ -1,7 +1,7 @@
package:
name: newrelic-nri-statsd
- version: 2.9.2
- epoch: 2
+ version: v2.10.0
+ epoch: 0
description: An implementation of Etsy's statsd in Go with tags support
copyright:
- license: MIT
@@ -19,15 +19,10 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: 13951ecf771c00604d7fd37feab9b4f0df245219
+ expected-commit: 21cb52ec9480869d1ff01675b9ed550cc9212c49
repository: https://github.com/newrelic/nri-statsd
tag: ${{package.version}}
- - uses: go/bump
- with:
- deps: golang.org/x/net@v0.23.0
- modroot: tests/integration
-
- runs: |
mkdir -p "${{targets.destdir}}"/bin
mkdir -p "${{targets.destdir}}"/home/nonroot
From 90956bfbdddbc220653a436b781bb8934baeda97 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:57:30 +0000
Subject: [PATCH 003/211] prometheus-adapter/0.12.0-r3: cve remediation
(#36753)
prometheus-adapter/0.12.0-r3: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-adapter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-adapter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-adapter.yaml b/prometheus-adapter.yaml
index 9a18c11f4f2..d74500c6e42 100644
--- a/prometheus-adapter.yaml
+++ b/prometheus-adapter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-adapter
version: 0.12.0
- epoch: 3
+ epoch: 4
description: Prometheus Adapter for Kubernetes Metrics APIs
copyright:
- license: Apache-2.0
@@ -20,6 +20,10 @@ pipeline:
expected-commit: 17cef511b1854441490bceeca7a710a04ce091ad
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make prometheus-adapter
From ee6b7e59057e8e3548bb0ec339da928a7cc8f214 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:57:40 +0000
Subject: [PATCH 004/211] swagger/0.31.0-r3: cve remediation (#36750)
swagger/0.31.0-r3: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/swagger.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
swagger.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/swagger.yaml b/swagger.yaml
index 62d312bf739..e697d7e5f8d 100644
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -1,7 +1,7 @@
package:
name: swagger
version: 0.31.0
- epoch: 3
+ epoch: 4
description: Swagger 2.0 implementation for go
copyright:
- license: Apache-2.0
@@ -17,6 +17,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 77f973a51c1dd3a8b95466b1c08cd9e529a69cfa
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/swagger
From 4780029d07f52e69b784ab324a3d248c0b01acbb Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:57:49 +0000
Subject: [PATCH 005/211] scorecard/5.0.0-r2: cve remediation (#36745)
scorecard/5.0.0-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/scorecard.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
scorecard.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scorecard.yaml b/scorecard.yaml
index 20db99cda7a..356aea286a1 100644
--- a/scorecard.yaml
+++ b/scorecard.yaml
@@ -1,7 +1,7 @@
package:
name: scorecard
version: 5.0.0
- epoch: 2
+ epoch: 3
description: OpenSSF Scorecard - Security health metrics for Open Source
copyright:
- license: Apache-2.0
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- runs: |
make build-scorecard
From 8d3b6d469319f67ea694ed90f14dbf3d5413a275 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:58:01 +0000
Subject: [PATCH 006/211] mkcert/1.4.4-r5: cve remediation (#36742)
mkcert/1.4.4-r5: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/mkcert.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
mkcert.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mkcert.yaml b/mkcert.yaml
index 2755efa2675..142f387d127 100644
--- a/mkcert.yaml
+++ b/mkcert.yaml
@@ -1,7 +1,7 @@
package:
name: mkcert
version: 1.4.4
- epoch: 5
+ epoch: 6
description: A simple zero-config tool to make locally trusted development certificates with any names you'd like.
copyright:
- license: BSD-3-Clause
@@ -20,8 +20,8 @@ pipeline:
- uses: go/bump
with:
- deps: golang.org/x/net@v0.21.0 golang.org/x/text@v0.3.8
- replaces: golang.org/x/crypto=golang.org/x/crypto@v0.21.0
+ deps: golang.org/x/net@v0.21.0 golang.org/x/text@v0.3.8 golang.org/x/crypto@v0.31.0
+ replaces: golang.org/x/crypto=golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 89f372d742a2a8d8d9638fc11246ea6c36711280 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:58:32 +0000
Subject: [PATCH 007/211] rqlite/8.36.0 package update (#36757)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rqlite.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rqlite.yaml b/rqlite.yaml
index 7c15931e54c..0b0c00391dd 100644
--- a/rqlite.yaml
+++ b/rqlite.yaml
@@ -1,6 +1,6 @@
package:
name: rqlite
- version: 8.35.0
+ version: 8.36.0
epoch: 0
description: The lightweight, distributed relational database built on SQLite
copyright:
@@ -19,7 +19,7 @@ pipeline:
with:
repository: https://github.com/rqlite/rqlite
tag: v${{package.version}}
- expected-commit: 4d375257bc800fee36f889b1ab9192d3aa58197a
+ expected-commit: 72a2858148ca055442321676d28c7fbc187a9b94
- runs: |
# docker-entrypoint.sh: update hardcoded docker entrypoint
From d3cd64f3778b3d987f03c39683f227e7230b8b4e Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:58:59 +0000
Subject: [PATCH 008/211] py3-google-cloud-recommendations-ai/0.10.15 package
update (#36760)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
py3-google-cloud-recommendations-ai.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/py3-google-cloud-recommendations-ai.yaml b/py3-google-cloud-recommendations-ai.yaml
index 0b82ddd6e25..cd20f49f640 100644
--- a/py3-google-cloud-recommendations-ai.yaml
+++ b/py3-google-cloud-recommendations-ai.yaml
@@ -1,6 +1,6 @@
package:
name: py3-google-cloud-recommendations-ai
- version: 0.10.14
+ version: 0.10.15
epoch: 0
description: Google Cloud Recommendations Ai API client library
copyright:
@@ -27,7 +27,7 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: 5a281bedcf84b5292018a1f030464b4511e1324f
+ expected-commit: 20b8aaf927b4d3e1bf7261218e690c43005e471f
repository: https://github.com/googleapis/google-cloud-python
tag: google-cloud-recommendations-ai-v${{package.version}}
From 55e594a6362e7613c7b61b4dcf850fb2e4f50b98 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:59:33 +0000
Subject: [PATCH 009/211] ruby3.4-logger/1.6.3 package update (#36755)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
ruby3.4-logger.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ruby3.4-logger.yaml b/ruby3.4-logger.yaml
index 1358af4a917..69b8a341431 100644
--- a/ruby3.4-logger.yaml
+++ b/ruby3.4-logger.yaml
@@ -1,7 +1,7 @@
# Generated from https://github.com/ruby/logger
package:
name: ruby3.4-logger
- version: 1.6.2
+ version: 1.6.3
epoch: 0
description: Provides a simple logging utility for outputting messages.
copyright:
@@ -26,7 +26,7 @@ pipeline:
with:
repository: https://github.com/ruby/logger
tag: v${{package.version}}
- expected-commit: 2d07f086f8aa0bd5923a072ce7bd15e5dd301f16
+ expected-commit: 97bce95f49fa7856a696bd8b55c5545dc6a977e6
- uses: ruby/build
with:
From 0e6e4bd1d2f872cdce8bddf11e7ee03d668cd076 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:59:53 +0000
Subject: [PATCH 010/211] ruby3.2-logger/1.6.3 package update (#36759)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
ruby3.2-logger.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ruby3.2-logger.yaml b/ruby3.2-logger.yaml
index e9a57726b09..ea62184d192 100644
--- a/ruby3.2-logger.yaml
+++ b/ruby3.2-logger.yaml
@@ -1,7 +1,7 @@
# Generated from https://github.com/ruby/logger
package:
name: ruby3.2-logger
- version: 1.6.2
+ version: 1.6.3
epoch: 0
description: Provides a simple logging utility for outputting messages.
copyright:
@@ -26,7 +26,7 @@ pipeline:
with:
repository: https://github.com/ruby/logger
tag: v${{package.version}}
- expected-commit: 2d07f086f8aa0bd5923a072ce7bd15e5dd301f16
+ expected-commit: 97bce95f49fa7856a696bd8b55c5545dc6a977e6
- uses: ruby/build
with:
From 1c4a77428d2edde2c64c1e20dcd0041c319a6dd2 Mon Sep 17 00:00:00 2001
From: RJ Trujillo
Date: Thu, 12 Dec 2024 19:09:25 -0700
Subject: [PATCH 011/211] chore: Enable debug when using make debug/foo
(#36752)
This seems straightforward enough to me
Signed-off-by: RJ Sampson
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index 7531da89d52..dc396e89572 100644
--- a/Makefile
+++ b/Makefile
@@ -25,6 +25,7 @@ MELANGE_OPTS += ${MELANGE_EXTRA_OPTS}
# Enter interactive mode on failure for debug
MELANGE_DEBUG_OPTS += --interactive
+MELANGE_DEBUG_OPTS += --debug
MELANGE_DEBUG_OPTS += --package-append apk-tools
MELANGE_DEBUG_OPTS += ${MELANGE_OPTS}
From cecca5a1319bc4761aa941382dab981f32b7a727 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 02:18:04 +0000
Subject: [PATCH 012/211] ruby3.3-logger/1.6.3 package update (#36754)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
ruby3.3-logger.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ruby3.3-logger.yaml b/ruby3.3-logger.yaml
index ea20f535eeb..7749488429f 100644
--- a/ruby3.3-logger.yaml
+++ b/ruby3.3-logger.yaml
@@ -1,7 +1,7 @@
# Generated from https://github.com/ruby/logger
package:
name: ruby3.3-logger
- version: 1.6.2
+ version: 1.6.3
epoch: 0
description: Provides a simple logging utility for outputting messages.
copyright:
@@ -26,7 +26,7 @@ pipeline:
with:
repository: https://github.com/ruby/logger
tag: v${{package.version}}
- expected-commit: 2d07f086f8aa0bd5923a072ce7bd15e5dd301f16
+ expected-commit: 97bce95f49fa7856a696bd8b55c5545dc6a977e6
- uses: ruby/build
with:
From 65b888b9d64f78e50d559432d4cdd0a63621832f Mon Sep 17 00:00:00 2001
From: Scott Moser
Date: Thu, 12 Dec 2024 21:54:13 -0500
Subject: [PATCH 013/211] Add test/ldd-check pipeline, replace ldd 'tests' with
it. (#36708)
I happened to see the test that aws-c-s3 had in place
and realized that it does not actually notice failure.
Running `ldd` on a program or library with missing dependencies
will exit zero unless ldd itself fails.
The added 'test/ldd-check' pipeline will check and list missing
dependencies.
---
aws-c-auth.yaml | 12 +++----
aws-c-cal.yaml | 12 +++----
aws-c-common.yaml | 12 +++----
aws-c-compression.yaml | 12 +++----
aws-c-event-stream.yaml | 12 +++----
aws-c-http.yaml | 12 +++----
aws-c-mqtt.yaml | 9 +++---
aws-c-s3.yaml | 10 ++----
aws-c-sdkutils.yaml | 10 ++----
aws-checksums.yaml | 10 ++----
chromium.yaml | 7 +++--
expat.yaml | 6 ++--
pipelines/test/ldd-check.yaml | 59 +++++++++++++++++++++++++++++++++++
rtmpdump.yaml | 5 +--
s2n-tls.yaml | 6 ++--
15 files changed, 109 insertions(+), 85 deletions(-)
create mode 100644 pipelines/test/ldd-check.yaml
diff --git a/aws-c-auth.yaml b/aws-c-auth.yaml
index 563973c8943..31f71fc166d 100644
--- a/aws-c-auth.yaml
+++ b/aws-c-auth.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-auth
version: 0.8.0
- epoch: 0
+ epoch: 1
description: "C99 library implementation of AWS client-side authentication: standard credentials providers and signing"
copyright:
- license: Apache-2.0
@@ -64,14 +64,10 @@ subpackages:
description: aws-c-auth dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-auth.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-auth.so.1.0.0
update:
enabled: true
diff --git a/aws-c-cal.yaml b/aws-c-cal.yaml
index 8062bd25bc7..f9b58e3037b 100644
--- a/aws-c-cal.yaml
+++ b/aws-c-cal.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-cal
version: 0.8.1
- epoch: 0
+ epoch: 1
description: "AWS Crypto Abstraction Layer: Cross-Platform, C99 wrapper for cryptography primitives"
copyright:
- license: Apache-2.0
@@ -58,14 +58,10 @@ subpackages:
description: aws-c-cal dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-cal.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-cal.so.1.0.0
update:
enabled: true
diff --git a/aws-c-common.yaml b/aws-c-common.yaml
index 4ac8610b293..16cf77ace2f 100644
--- a/aws-c-common.yaml
+++ b/aws-c-common.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-common
version: 0.10.6
- epoch: 0
+ epoch: 1
description: Core c99 package for AWS SDK for C including cross-platform primitives, configuration, data structures, and error handling
copyright:
- license: Apache-2.0
@@ -57,14 +57,10 @@ subpackages:
description: aws-c-common dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-common.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-common.so.1.0.0
update:
enabled: true
diff --git a/aws-c-compression.yaml b/aws-c-compression.yaml
index 3b088a9f0a3..0213999e0d8 100644
--- a/aws-c-compression.yaml
+++ b/aws-c-compression.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-compression
version: 0.3.0
- epoch: 0
+ epoch: 1
description: C99 implementation of huffman encoding/decoding
copyright:
- license: Apache-2.0
@@ -54,14 +54,10 @@ subpackages:
description: aws-c-compression dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-compression.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-compression.so.1.0.0
update:
enabled: true
diff --git a/aws-c-event-stream.yaml b/aws-c-event-stream.yaml
index 5c3eb8b3881..b385699bb39 100644
--- a/aws-c-event-stream.yaml
+++ b/aws-c-event-stream.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-event-stream
version: 0.5.0
- epoch: 0
+ epoch: 1
description: "AWS C99 implementation of the vnd.amazon.eventstream content-type"
copyright:
- license: Apache-2.0
@@ -62,14 +62,10 @@ subpackages:
description: aws-c-event-stream dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-event-stream.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-event-stream.so.1.0.0
update:
enabled: true
diff --git a/aws-c-http.yaml b/aws-c-http.yaml
index 3c1f798288a..dd78cc97bbe 100644
--- a/aws-c-http.yaml
+++ b/aws-c-http.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-http
version: 0.9.2
- epoch: 0
+ epoch: 1
description: AWS C99 implementation of the HTTP/1.1 and HTTP/2 specifications
copyright:
- license: Apache-2.0
@@ -61,14 +61,10 @@ subpackages:
description: aws-c-http dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-http.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-http.so.1.0.0
update:
enabled: true
diff --git a/aws-c-mqtt.yaml b/aws-c-mqtt.yaml
index 074b7d6ff0d..77c6bd24de1 100644
--- a/aws-c-mqtt.yaml
+++ b/aws-c-mqtt.yaml
@@ -1,7 +1,7 @@
package:
name: aws-c-mqtt
version: 0.11.0
- epoch: 0
+ epoch: 1
description: AWS C99 implementation of the MQTT 3.1.1 specification
copyright:
- license: Apache-2.0
@@ -79,12 +79,11 @@ test:
- aws-c-io-dev
- build-base
- gcc
- - posix-libc-utils
- aws-c-mqtt-dev
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-mqtt.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-mqtt.so.1.0.0
- name: "Compile simple MQTT test program"
runs: |
cat << 'EOF' > test.c
diff --git a/aws-c-s3.yaml b/aws-c-s3.yaml
index 19e5c68279f..30cc87f9244 100644
--- a/aws-c-s3.yaml
+++ b/aws-c-s3.yaml
@@ -74,14 +74,10 @@ subpackages:
description: aws-c-s3 dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-s3.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-s3.so.1.0.0
update:
enabled: true
diff --git a/aws-c-sdkutils.yaml b/aws-c-sdkutils.yaml
index ab686d22c5c..a43d1bb4b88 100644
--- a/aws-c-sdkutils.yaml
+++ b/aws-c-sdkutils.yaml
@@ -57,14 +57,10 @@ subpackages:
description: aws-c-sdkutils dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-c-sdkutils.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-c-sdkutils.so.1.0.0
update:
enabled: true
diff --git a/aws-checksums.yaml b/aws-checksums.yaml
index d925403c4cf..c5b67f7a447 100644
--- a/aws-checksums.yaml
+++ b/aws-checksums.yaml
@@ -57,14 +57,10 @@ subpackages:
description: aws-checksums dev
test:
- environment:
- contents:
- packages:
- - posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libaws-checksums.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libaws-checksums.so.1.0.0
update:
enabled: true
diff --git a/chromium.yaml b/chromium.yaml
index 73ac2199fed..f5f3788a07e 100644
--- a/chromium.yaml
+++ b/chromium.yaml
@@ -330,15 +330,16 @@ test:
#- py3-pip
#- python3
pipeline:
+ - uses: test/ldd-check
+ with:
+ verbose: true
+ files: /usr/lib/chromium/chrome
- runs: |
# Make sure Chrome and ChromeDriver are at the correct path
test -x /usr/lib/chromium/chrome
test -x /usr/lib/chromium/chromedriver
test -f /usr/lib/chromium/locales/en-US.pak
- # Ensure all libraries are linked
- ldd /usr/lib/chromium/chrome
-
# Check status with new headless mode
chromium --no-sandbox --headless --disable-gpu --dump-dom https://www.chromestatus.com
diff --git a/expat.yaml b/expat.yaml
index f35f2461ff7..9e5f32f9e7f 100644
--- a/expat.yaml
+++ b/expat.yaml
@@ -97,9 +97,9 @@ test:
gcc -o test test.c -lexpat
./test
- - name: "Check shared library"
- runs: |
- ldd /usr/lib/libexpat.so.1
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libexpat.so.1
- name: "Verify XML parsing functionality"
runs: |
cat > test.xml << EOF
diff --git a/pipelines/test/ldd-check.yaml b/pipelines/test/ldd-check.yaml
new file mode 100644
index 00000000000..ca68c3bf3dc
--- /dev/null
+++ b/pipelines/test/ldd-check.yaml
@@ -0,0 +1,59 @@
+name: ldd-check
+
+needs:
+ packages:
+ - busybox
+ - posix-libc-utils
+
+inputs:
+ files:
+ description: |
+ The files to run `ldd` on and check for missing deps.
+ required: true
+ verbose:
+ description: |
+ Should the full ldd output be shown
+ required: false
+ default: false
+
+pipeline:
+ - name: "run ldd on provided files"
+ runs: |
+ set +x
+ set -f
+ error() { echo "ERROR[ldd-check]:" "$@"; exit 1; }
+ fail() { echo "FAIL[ldd-check]:" "$@"; fails=$((fails+1)); }
+ pass() { echo "PASS[ldd-check]:" "$@"; passes=$((passes+1)); }
+ cleanup() { [ -n "$tmpd" -o -z "$tmpd" ] && return 0; rm -Rf "$tmpd"; }
+
+ tmpd=$(mktemp -d) || fail "ERROR: failed to create tmpdir"
+ trap cleanup EXIT
+
+ fails=0
+ passes=0
+ files="${{inputs.files}}"
+ verbose="${{inputs.verbose}}"
+ case "$verbose" in
+ true|false) :;;
+ *) error "verbose must be 'true' or 'false'. found '$verbose'";;
+ esac
+
+ export LANG=C
+ set -- $files
+ outf="$tmpd/out"
+ for f in "$@"; do
+ [ -e "$f" ] || { fail "$f: does not exist"; continue; }
+ [ -f "$f" ] || { fail "$f: not a file"; continue; }
+ ldd "$f" > "$outf" || { fail "$f: ldd exited $?"; continue; }
+ missing=$(awk \
+ '$0 ~ /=> not found/ { miss = miss " " $1; }; END { printf("%s\n", miss); }' \
+ "$outf") || error "$f: parsing with awk failed $?";
+ if [ "$verbose" = "true" ]; then
+ echo "> $ ldd $f"
+ sed 's,^,> ,' "$outf"
+ fi
+ [ -z "$missing" ] && { pass "$f"; continue; }
+ fail "$f: missing ${missing# }"
+ done
+ echo "tested $((passes+fails)) files with ldd. $passes passes. $fails fails."
+ exit $fails
diff --git a/rtmpdump.yaml b/rtmpdump.yaml
index 73fe96d75b9..90cb133c30f 100644
--- a/rtmpdump.yaml
+++ b/rtmpdump.yaml
@@ -79,8 +79,9 @@ test:
pipeline:
- name: Smoke test for rtmpdump binary
runs: rtmpdump --help
- - name: "Check shared library"
- runs: ldd /usr/lib/librtmp.so.1
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/librtmp.so.1
- name: Compile and link a simple C program
runs: |
cat < test_rtmp.c
diff --git a/s2n-tls.yaml b/s2n-tls.yaml
index e2e276a5aca..04df12d2e7a 100644
--- a/s2n-tls.yaml
+++ b/s2n-tls.yaml
@@ -64,9 +64,9 @@ test:
packages:
- posix-libc-utils
pipeline:
- - name: "Verify shared library dependencies"
- runs: |
- ldd /usr/lib/libs2n.so.1.0.0
+ - uses: test/ldd-check
+ with:
+ files: /usr/lib/libs2n.so.1.0.0
update:
enabled: true
From dbb5689070a09171b54a7ab0c76a79eda9531ae8 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:06:54 +0000
Subject: [PATCH 014/211] step-issuer/0.9.6-r0: cve remediation (#36769)
step-issuer/0.9.6-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/step-issuer.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
step-issuer.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/step-issuer.yaml b/step-issuer.yaml
index 0f33ef5af04..e3109cf0b2f 100644
--- a/step-issuer.yaml
+++ b/step-issuer.yaml
@@ -1,7 +1,7 @@
package:
name: step-issuer
version: 0.9.6
- epoch: 0
+ epoch: 1
description: A certificate issuer for cert-manager using step certificates CA
copyright:
- license: Apache-2.0
@@ -17,6 +17,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 8eab66b96ec11e0f4dfd742c55cafa5e0a4890ac
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./
From cc0fcea865b3aa39126aa199d84fa56987722b6f Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:07:10 +0000
Subject: [PATCH 015/211] helm-docs/1.14.2-r2: cve remediation (#36764)
helm-docs/1.14.2-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/helm-docs.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
helm-docs.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/helm-docs.yaml b/helm-docs.yaml
index 6a1dcd25ce0..0390252e878 100644
--- a/helm-docs.yaml
+++ b/helm-docs.yaml
@@ -1,7 +1,7 @@
package:
name: helm-docs
version: 1.14.2
- epoch: 2
+ epoch: 3
description: A tool for automatically generating markdown documentation for helm charts
copyright:
- license: GPL-3.0-only
@@ -26,6 +26,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 37d3055fece566105cf8cff7c17b7b2355a01677
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make helm-docs
install -Dm755 ./helm-docs "${{targets.contextdir}}/usr/bin/helm-docs"
From 8719089f0877b156083bdd40e606c9718cdc91f9 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:07:24 +0000
Subject: [PATCH 016/211] flux-kustomize-controller/1.4.0-r0: cve remediation
(#36765)
flux-kustomize-controller/1.4.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/flux-kustomize-controller.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
flux-kustomize-controller.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/flux-kustomize-controller.yaml b/flux-kustomize-controller.yaml
index 0de16882af5..bd08915c189 100644
--- a/flux-kustomize-controller.yaml
+++ b/flux-kustomize-controller.yaml
@@ -1,7 +1,7 @@
package:
name: flux-kustomize-controller
version: 1.4.0
- epoch: 0
+ epoch: 1
description: The GitOps Toolkit Kustomize reconciler
copyright:
- license: Apache-2.0
@@ -36,6 +36,10 @@ pipeline:
repository: https://github.com/fluxcd/kustomize-controller
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
ldflags: -s -w -X main.Version=${{package.version}}
From 7069f08ac91503ba1dca71fc5b8e0feb13e67a94 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:07:37 +0000
Subject: [PATCH 017/211] kubernetes-event-exporter/1.7-r11: cve remediation
(#36762)
kubernetes-event-exporter/1.7-r11: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kubernetes-event-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kubernetes-event-exporter.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kubernetes-event-exporter.yaml b/kubernetes-event-exporter.yaml
index df9722da72b..a034a0cd13b 100644
--- a/kubernetes-event-exporter.yaml
+++ b/kubernetes-event-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: kubernetes-event-exporter
version: "1.7"
- epoch: 11
+ epoch: 12
description: Export Kubernetes events to multiple destinations with routing and filtering
copyright:
- license: Apache-2.0
@@ -26,7 +26,7 @@ pipeline:
- uses: go/bump
with:
- deps: google.golang.org/grpc@v1.56.3 github.com/sirupsen/logrus@v1.9.3 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/hashicorp/go-retryablehttp@v0.7.7
+ deps: google.golang.org/grpc@v1.56.3 github.com/sirupsen/logrus@v1.9.3 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/hashicorp/go-retryablehttp@v0.7.7 golang.org/x/crypto@v0.31.0
modroot: .
- uses: go/build
From f3044f2c4f751f28cc9e78f52112b37763b9d3bf Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:07:53 +0000
Subject: [PATCH 018/211] ollama/0.5.1-r0: cve remediation (#36767)
ollama/0.5.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/ollama.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
ollama.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ollama.yaml b/ollama.yaml
index c80368a76a1..c8e2e9ed773 100644
--- a/ollama.yaml
+++ b/ollama.yaml
@@ -1,7 +1,7 @@
package:
name: ollama
version: 0.5.1
- epoch: 0
+ epoch: 1
description: Get up and running with Llama 2 and other large language models locally
copyright:
- license: MIT
@@ -22,6 +22,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: de52b6c2f90ff220ed9469167d51e3f5d7474fa2
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
go generate ./...
CGO_ENABLED=1 go build -ldflags '-linkmode external -extldflags "-static"' .
From 41047b6abbdfb03eb6d4bdb36a2bbd46601771d4 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:08:06 +0000
Subject: [PATCH 019/211] syft/1.18.0-r0: cve remediation (#36766)
syft/1.18.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/syft.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
syft.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/syft.yaml b/syft.yaml
index 364732c184e..63cec52ae15 100644
--- a/syft.yaml
+++ b/syft.yaml
@@ -1,7 +1,7 @@
package:
name: syft
version: 1.18.0
- epoch: 0
+ epoch: 1
description: CLI tool and library for generating a Software Bill of Materials from container images and filesystems
copyright:
- license: Apache-2.0
@@ -17,6 +17,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: d38efb0b7fb7106909bc532a4efc68b78a917a34
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
ldflags: -X main.version=${{package.version}}
From a26f77353a64b43feae43afe3b6c8bf39afbb7de Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:08:25 +0000
Subject: [PATCH 020/211] tigera-operator-1.36/1.36.3-r0: cve remediation
(#36768)
tigera-operator-1.36/1.36.3-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tigera-operator-1.36.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tigera-operator-1.36.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tigera-operator-1.36.yaml b/tigera-operator-1.36.yaml
index 1fa43e5e67b..6c987213647 100644
--- a/tigera-operator-1.36.yaml
+++ b/tigera-operator-1.36.yaml
@@ -1,7 +1,7 @@
package:
name: tigera-operator-1.36
version: 1.36.3
- epoch: 0
+ epoch: 1
description: Kubernetes operator for installing Calico and Calico Enterprise
copyright:
- license: Apache-2.0
@@ -25,6 +25,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 4564fea4e90f0c6a7ac5b8ad1feb3222e580fb42
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
PACKAGE_NAME=github.com/tigera/operator
ARCH=$(go env GOARCH)
From a6d6e4a9fc50a865b20baa138297e2efe133c55a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:08:40 +0000
Subject: [PATCH 021/211] authservice/1.0.3-r0: cve remediation (#36761)
authservice/1.0.3-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/authservice.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
authservice.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/authservice.yaml b/authservice.yaml
index 80408912e70..5d3e2db16f2 100644
--- a/authservice.yaml
+++ b/authservice.yaml
@@ -1,7 +1,7 @@
package:
name: authservice
version: 1.0.3
- epoch: 0
+ epoch: 1
description: Move OIDC token acquisition out of your app code and into the Istio mesh
copyright:
- license: Apache-2.0
@@ -17,6 +17,10 @@ pipeline:
repository: https://github.com/istio-ecosystem/authservice
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd
From 2120698c9c8170c2d777c012cb17bd629185c2d9 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 03:08:54 +0000
Subject: [PATCH 022/211] doppler-kubernetes-operator/1.5.1-r5: cve remediation
(#36763)
doppler-kubernetes-operator/1.5.1-r5: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/doppler-kubernetes-operator.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
doppler-kubernetes-operator.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doppler-kubernetes-operator.yaml b/doppler-kubernetes-operator.yaml
index b9180bfc472..3ac07d88b07 100644
--- a/doppler-kubernetes-operator.yaml
+++ b/doppler-kubernetes-operator.yaml
@@ -1,7 +1,7 @@
package:
name: doppler-kubernetes-operator
version: 1.5.1
- epoch: 5
+ epoch: 6
description: Automatically sync secrets from Doppler to Kubernetes and auto-reload deployments when secrets change.
copyright:
- license: Apache-2.0
@@ -21,7 +21,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/gogo/protobuf@v1.3.2 golang.org/x/crypto@v0.17.0 github.com/prometheus/client_golang@v1.11.1 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/gogo/protobuf@v1.3.2 github.com/prometheus/client_golang@v1.11.1 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- runs: |
CGO_ENABLED=0 GO111MODULE=on GOOS=$(go env GOOS) GOARCH=$(go env GOARCH)
From 0cbaf68b6a26d8cba7cb456aea79e8ed6abd5668 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:04:22 +0000
Subject: [PATCH 023/211] prometheus-elasticsearch-exporter/1.8.0-r0: cve
remediation (#36779)
prometheus-elasticsearch-exporter/1.8.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-elasticsearch-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-elasticsearch-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-elasticsearch-exporter.yaml b/prometheus-elasticsearch-exporter.yaml
index 0282a1f964f..d2d3a6896bb 100644
--- a/prometheus-elasticsearch-exporter.yaml
+++ b/prometheus-elasticsearch-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-elasticsearch-exporter
version: 1.8.0
- epoch: 0
+ epoch: 1
description: Elasticsearch stats exporter for Prometheus
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: fd25030ff57e9eedc397616e6b8b620d396e4736
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make common-build
From 90e7d078d3f0116060a3c7d5cdb5cc48d8182317 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:04:34 +0000
Subject: [PATCH 024/211] glab/1.50.0-r0: cve remediation (#36775)
glab/1.50.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/glab.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
glab.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/glab.yaml b/glab.yaml
index 1bc7045fb5c..38e48027779 100644
--- a/glab.yaml
+++ b/glab.yaml
@@ -5,7 +5,7 @@
package:
name: glab
version: 1.50.0
- epoch: 0
+ epoch: 1
description: A GitLab CLI tool bringing GitLab to your command line
copyright:
- license: MIT
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 2f23daa519be7cdd2562255235f6b1ad0da1931d
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/glab
From eb63bf41c6935a2db6e4cfdea51ede62cc5506ed Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:04:50 +0000
Subject: [PATCH 025/211] tkn/0.39.0-r0: cve remediation (#36774)
tkn/0.39.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tkn.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tkn.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tkn.yaml b/tkn.yaml
index c4d0e82ded5..36d73386b58 100644
--- a/tkn.yaml
+++ b/tkn.yaml
@@ -1,7 +1,7 @@
package:
name: tkn
version: 0.39.0
- epoch: 0
+ epoch: 1
description: A CLI for interacting with Tekton!
copyright:
- license: Apache-2.0
@@ -22,6 +22,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: cb2f6797bf2c48dc60d5b4e23f015e35f5f42d78
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make bin/tkn
install -Dm755 ./bin/tkn ${{targets.destdir}}/usr/bin/tkn
From c5702cab21486a3d27b7779001e68ab028e5d35b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:05:03 +0000
Subject: [PATCH 026/211] prometheus-postgres-exporter/0.16.0-r0: cve
remediation (#36773)
prometheus-postgres-exporter/0.16.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-postgres-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-postgres-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-postgres-exporter.yaml b/prometheus-postgres-exporter.yaml
index 87f9244c522..c3b61e700da 100644
--- a/prometheus-postgres-exporter.yaml
+++ b/prometheus-postgres-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-postgres-exporter
version: 0.16.0
- epoch: 0
+ epoch: 1
description: Prometheus Exporter for Postgres server metrics
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: a324fe37bca5193a293118b940b3df7ab3a8505c
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make build
From a6b6d9a589b766c1f5baa965e52c3a23aa3aae1e Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:05:20 +0000
Subject: [PATCH 027/211] node-feature-discovery-0.16/0.16.6-r2: cve
remediation (#36771)
node-feature-discovery-0.16/0.16.6-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/node-feature-discovery-0.16.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
node-feature-discovery-0.16.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/node-feature-discovery-0.16.yaml b/node-feature-discovery-0.16.yaml
index d7262d77797..e7fc323b4a8 100644
--- a/node-feature-discovery-0.16.yaml
+++ b/node-feature-discovery-0.16.yaml
@@ -1,7 +1,7 @@
package:
name: node-feature-discovery-0.16
version: 0.16.6
- epoch: 2
+ epoch: 3
description: Node feature discovery for Kubernetes
copyright:
- license: Apache-2.0
@@ -27,6 +27,11 @@ pipeline:
mkdir -p ${{targets.contextdir}}/etc/kubernetes/node-feature-discovery/
cp ./deployment/components/worker-config/nfd-worker.conf.example ${{targets.contextdir}}/etc/kubernetes/node-feature-discovery/nfd-worker.conf
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
modroot: .
From e0128033cc7dec8081fc2a62209d95822af92427 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 04:05:38 +0000
Subject: [PATCH 028/211] sftpgo-plugin-kms/1.0.14-r0: cve remediation (#36776)
sftpgo-plugin-kms/1.0.14-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/sftpgo-plugin-kms.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
sftpgo-plugin-kms.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sftpgo-plugin-kms.yaml b/sftpgo-plugin-kms.yaml
index e2b803398eb..82e54e6267b 100644
--- a/sftpgo-plugin-kms.yaml
+++ b/sftpgo-plugin-kms.yaml
@@ -1,7 +1,7 @@
package:
name: sftpgo-plugin-kms
version: 1.0.14
- epoch: 0
+ epoch: 1
description: "Additional KMS secret providers for SFTPGo"
copyright:
- license: AGPL-3.0-only
@@ -13,6 +13,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 80fef54ef2a087cc8d515a2a330db6ba62350301
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From ab100af62e30f6b1a21d2b8f2d9a73a0009799fd Mon Sep 17 00:00:00 2001
From: jamie-albert
Date: Thu, 12 Dec 2024 20:55:45 -0800
Subject: [PATCH 029/211] nodetaint/GHSA-27wf-5967-98gx fix (#36568)
This is a good example as to how cluttered a package can get when
attempting to remediate k8s dependencies with go mod / go/bump. It is a
simple version bump but the dependencies are so tightly coupled and with
no recursive dependency updating there can be trail and error in finding
everything needing to be updated. Anyway, version bumped, epoch bumped.
---
nodetaint.yaml | 53 +++++++++++++++++++++++++-------------------------
1 file changed, 26 insertions(+), 27 deletions(-)
diff --git a/nodetaint.yaml b/nodetaint.yaml
index ee2e29b2e89..5a6caf7d173 100644
--- a/nodetaint.yaml
+++ b/nodetaint.yaml
@@ -1,7 +1,7 @@
package:
name: nodetaint
version: 0.0.4
- epoch: 22
+ epoch: 23
description: Controller to manage taints for nodes in a k8s cluster.
copyright:
- license: Apache-2.0
@@ -23,36 +23,35 @@ pipeline:
- uses: go/bump
with:
- deps: k8s.io/api@v0.27.13 k8s.io/client-go@v0.27.13 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 k8s.io/apimachinery@v0.27.13 k8s.io/kubernetes@v1.27.16
+ deps: k8s.io/api@v0.28.15 k8s.io/client-go@v0.28.15 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 k8s.io/apimachinery@v0.28.15 k8s.io/kubernetes@v1.28.15
- runs: |
- # Mitigate CVE-2023-39325, CVE-2023-3978, CVE-2023-44487
+ # Mitigate CVE-2023-39325, CVE-2023-3978, CVE-2023-44487, GHSA-27wf-5967-98gx
# CVE-2021-25736, CVE-2023-3676, CVE-2023-3955, GHSA-8cfg-vx93-jvxw
- go mod edit -replace=k8s.io/api=k8s.io/api@v0.27.8
- go mod edit -replace=k8s.io/apiextensions-apiserver=k8s.io/apiextensions-apiserver@v0.27.8
- go mod edit -replace=k8s.io/apimachinery=k8s.io/apimachinery@v0.27.8
- go mod edit -replace=k8s.io/apiserver=k8s.io/apiserver@v0.27.8
- go mod edit -replace=k8s.io/cli-runtime=k8s.io/cli-runtime@v0.27.8
- go mod edit -replace=k8s.io/client-go=k8s.io/client-go@v0.27.8
- go mod edit -replace=k8s.io/cloud-provider=k8s.io/cloud-provider@v0.27.8
- go mod edit -replace=k8s.io/cluster-bootstrap=k8s.io/cluster-bootstrap@v0.27.8
- go mod edit -replace=k8s.io/code-generator=k8s.io/code-generator@v0.27.8
- go mod edit -replace=k8s.io/component-base=k8s.io/component-base@v0.27.8
- go mod edit -replace=k8s.io/cri-api=k8s.io/cri-api@v0.27.8
- go mod edit -replace=k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.27.8
- go mod edit -replace=k8s.io/kube-aggregator=k8s.io/kube-aggregator@v0.27.8
- go mod edit -replace=k8s.io/kube-controller-manager=k8s.io/kube-controller-manager@v0.27.8
- go mod edit -replace=k8s.io/kube-proxy=k8s.io/kube-proxy@v0.27.8
- go mod edit -replace=k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.27.8
- go mod edit -replace=k8s.io/kubectl=k8s.io/kubectl@v0.27.8
- go mod edit -replace=k8s.io/kubelet=k8s.io/kubelet@v0.27.8
- go mod edit -replace=k8s.io/legacy-cloud-providers=k8s.io/legacy-cloud-providers@v0.27.8
- go mod edit -replace=k8s.io/metrics=k8s.io/metrics@v0.27.8
- go mod edit -replace=k8s.io/sample-apiserver=k8s.io/sample-apiserver@v0.27.8
- go mod edit -replace=k8s.io/sample-cli-plugin=k8s.io/sample-cli-plugin@v0.27.8
- go mod edit -replace=k8s.io/sample-controller=k8s.io/sample-controller@v0.27.8
-
+ go mod edit -replace=k8s.io/api=k8s.io/api@v0.28.15
+ go mod edit -replace=k8s.io/apiextensions-apiserver=k8s.io/apiextensions-apiserver@v0.28.15
+ go mod edit -replace=k8s.io/apimachinery=k8s.io/apimachinery@v0.28.15
+ go mod edit -replace=k8s.io/apiserver=k8s.io/apiserver@v0.28.15
+ go mod edit -replace=k8s.io/cli-runtime=k8s.io/cli-runtime@v0.28.15
+ go mod edit -replace=k8s.io/client-go=k8s.io/client-go@v0.28.15
+ go mod edit -replace=k8s.io/cloud-provider=k8s.io/cloud-provider@v0.28.15
+ go mod edit -replace=k8s.io/cluster-bootstrap=k8s.io/cluster-bootstrap@v0.28.15
+ go mod edit -replace=k8s.io/code-generator=k8s.io/code-generator@v0.28.15
+ go mod edit -replace=k8s.io/component-base=k8s.io/component-base@v0.28.15
+ go mod edit -replace=k8s.io/cri-api=k8s.io/cri-api@v0.28.15
+ go mod edit -replace=k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.28.15
+ go mod edit -replace=k8s.io/kube-aggregator=k8s.io/kube-aggregator@v0.28.15
+ go mod edit -replace=k8s.io/kube-controller-manager=k8s.io/kube-controller-manager@v0.28.15
+ go mod edit -replace=k8s.io/kube-proxy=k8s.io/kube-proxy@v0.28.15
+ go mod edit -replace=k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.28.15
+ go mod edit -replace=k8s.io/kubectl=k8s.io/kubectl@v0.28.15
+ go mod edit -replace=k8s.io/kubelet=k8s.io/kubelet@v0.28.15
+ go mod edit -replace=k8s.io/legacy-cloud-providers=k8s.io/legacy-cloud-providers@v0.28.15
+ go mod edit -replace=k8s.io/metrics=k8s.io/metrics@v0.28.15
+ go mod edit -replace=k8s.io/sample-apiserver=k8s.io/sample-apiserver@v0.28.15
+ go mod edit -replace=k8s.io/sample-cli-plugin=k8s.io/sample-cli-plugin@v0.28.15
+ go mod edit -replace=k8s.io/sample-controller=k8s.io/sample-controller@v0.28.15
go mod tidy -compat=1.17
CGO_ENABLED=0 GOARCH=$(go env GOARCH) GOOS=$(go env GOOS) go build -o . -a -installsuffix cgo .
From e981aee99479a54201aa5eef6fd33cb3a943e32f Mon Sep 17 00:00:00 2001
From: jamie-albert
Date: Thu, 12 Dec 2024 20:56:20 -0800
Subject: [PATCH 030/211] kubeflow-pipelines-visualization-server
GHSA-8w49-h785-mj3c fix (#36483)
Simple version bump inside the patch file and epoch bump to resolve
GHSA-8w49-h785-mj3c
---
kubeflow-pipelines-visualization-server.yaml | 2 +-
.../0001-Bump-dependencies.patch | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kubeflow-pipelines-visualization-server.yaml b/kubeflow-pipelines-visualization-server.yaml
index 3f49747b562..64ec6092272 100644
--- a/kubeflow-pipelines-visualization-server.yaml
+++ b/kubeflow-pipelines-visualization-server.yaml
@@ -1,7 +1,7 @@
package:
name: kubeflow-pipelines-visualization-server
version: 2.3.0
- epoch: 3
+ epoch: 4
description: Machine Learning Pipelines for Kubeflow
copyright:
- license: Apache-2.0
diff --git a/kubeflow-pipelines-visualization-server/0001-Bump-dependencies.patch b/kubeflow-pipelines-visualization-server/0001-Bump-dependencies.patch
index e23afbfe570..ed46fe551f8 100644
--- a/kubeflow-pipelines-visualization-server/0001-Bump-dependencies.patch
+++ b/kubeflow-pipelines-visualization-server/0001-Bump-dependencies.patch
@@ -746,7 +746,7 @@ index 00cc9a82e..8f69cbc48 100644
+threadpoolctl==3.5.0
# via scikit-learn
-tornado==6.3.3
-+tornado==6.4.1
++tornado==6.4.2
# via
# -r requirements.in
# bokeh
From 3a8c982a0ff3e45aa1af583b6712cb1bf4b3e068 Mon Sep 17 00:00:00 2001
From: jamie-albert
Date: Thu, 12 Dec 2024 20:56:44 -0800
Subject: [PATCH 031/211] py3-cassandra-medusa/GHSA-8495-4g3g-x7p fix (#36342)
Minor version and epoch bump remediates this CVE.
---
py3-cassandra-medusa.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/py3-cassandra-medusa.yaml b/py3-cassandra-medusa.yaml
index 0643b03646f..d0a15fd1197 100644
--- a/py3-cassandra-medusa.yaml
+++ b/py3-cassandra-medusa.yaml
@@ -2,7 +2,7 @@
package:
name: py3-cassandra-medusa
version: 0.22.3
- epoch: 0
+ epoch: 1
description: Apache Cassandra backup and restore tool
copyright:
- license: Apache-2.0
@@ -37,7 +37,7 @@ pipeline:
runs: |
pip install wheel
pip install poetry
- poetry add "aiohttp==3.9.4"
+ poetry add "aiohttp==3.10.11"
poetry add "certifi==2024.7.4"
poetry add "dnspython==2.6.1"
poetry add "idna==3.7"
From 8d70e3fac1d9b43465206110b2dd3aa96a4549af Mon Sep 17 00:00:00 2001
From: jamie-albert
Date: Thu, 12 Dec 2024 20:57:51 -0800
Subject: [PATCH 032/211] local-static-provisioner-GHSA-27wf-5967-98gx-fix
(#36477)
Manually created a patch that updates the affected version of k8s to the
unaffected version. k8s are a mess to try and update via the go/bump
method so a patch is much more effective, also remediated
[CVE-2024-45337](https://www.cve.org/CVERecord?id=CVE-2024-45337) by
bumping golang.org/x/crypto version
---
local-static-provisioner.yaml | 8 +-
.../k8s-GHSA-27wf-5967-98gx-fix.patch | 108 ++++++++++++++++++
2 files changed, 114 insertions(+), 2 deletions(-)
create mode 100644 local-static-provisioner/k8s-GHSA-27wf-5967-98gx-fix.patch
diff --git a/local-static-provisioner.yaml b/local-static-provisioner.yaml
index e31c8ad27ad..1c6bf51fdb8 100644
--- a/local-static-provisioner.yaml
+++ b/local-static-provisioner.yaml
@@ -1,7 +1,7 @@
package:
name: local-static-provisioner
version: 2.7.0
- epoch: 7
+ epoch: 8
description: Static provisioner of local volumes
copyright:
- license: Apache-2.0
@@ -27,9 +27,13 @@ pipeline:
tag: v${{package.version}}
expected-commit: 4f81db77908ff67d8cac223c31413a293cd65d73
+ - uses: patch
+ with:
+ patches: k8s-GHSA-27wf-5967-98gx-fix.patch
+
- uses: go/bump
with:
- deps: google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 k8s.io/apiserver@v0.27.13 k8s.io/kubernetes@v1.27.16
+ deps: google.golang.org/protobuf@v1.35.2 golang.org/x/net@v0.32.0 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
diff --git a/local-static-provisioner/k8s-GHSA-27wf-5967-98gx-fix.patch b/local-static-provisioner/k8s-GHSA-27wf-5967-98gx-fix.patch
new file mode 100644
index 00000000000..bc6a7758749
--- /dev/null
+++ b/local-static-provisioner/k8s-GHSA-27wf-5967-98gx-fix.patch
@@ -0,0 +1,108 @@
+diff --git a/go.mod b/go.mod
+index d19a005d..166c689b 100644
+--- a/go.mod
++++ b/go.mod
+@@ -11,13 +11,13 @@ require (
+ github.com/spf13/pflag v1.0.5
+ golang.org/x/sys v0.17.0
+ gopkg.in/yaml.v2 v2.4.0
+- k8s.io/api v0.27.8
+- k8s.io/apimachinery v0.27.8
+- k8s.io/apiserver v0.27.8
+- k8s.io/client-go v0.27.8
+- k8s.io/component-base v0.27.8
++ k8s.io/api v0.28.15
++ k8s.io/apimachinery v0.28.15
++ k8s.io/apiserver v0.28.15
++ k8s.io/client-go v0.28.15
++ k8s.io/component-base v0.28.15
+ k8s.io/klog/v2 v2.90.1
+- k8s.io/kubernetes v1.27.8
++ k8s.io/kubernetes v1.28.15
+ k8s.io/pod-security-admission v0.0.0
+ k8s.io/utils v0.0.0-20230209194617-a36077c30491
+ sigs.k8s.io/sig-storage-lib-external-provisioner/v6 v6.3.0
+@@ -123,15 +123,15 @@ require (
+ gopkg.in/warnings.v0 v0.1.1 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+ k8s.io/apiextensions-apiserver v0.0.0 // indirect
+- k8s.io/cloud-provider v0.27.8 // indirect
+- k8s.io/component-helpers v0.27.8 // indirect
+- k8s.io/controller-manager v0.27.8 // indirect
+- k8s.io/kms v0.27.8 // indirect
++ k8s.io/cloud-provider v0.28.15 // indirect
++ k8s.io/component-helpers v0.28.15 // indirect
++ k8s.io/controller-manager v0.28.15 // indirect
++ k8s.io/kms v0.28.15 // indirect
+ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+ k8s.io/kubectl v0.0.0 // indirect
+ k8s.io/kubelet v0.0.0 // indirect
+ k8s.io/legacy-cloud-providers v0.0.0 // indirect
+- k8s.io/mount-utils v0.27.8 // indirect
++ k8s.io/mount-utils v0.28.15 // indirect
+ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
+ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+@@ -139,33 +139,33 @@ require (
+
+ replace (
+ github.com/emicklei/go-restful => github.com/emicklei/go-restful/v3 v3.8.0
+- k8s.io/api => k8s.io/api v0.27.8
+- k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.27.8
+- k8s.io/apimachinery => k8s.io/apimachinery v0.27.8
+- k8s.io/apiserver => k8s.io/apiserver v0.27.8
+- k8s.io/cli-runtime => k8s.io/cli-runtime v0.27.8
+- k8s.io/client-go => k8s.io/client-go v0.27.8
+- k8s.io/cloud-provider => k8s.io/cloud-provider v0.27.8
+- k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.27.8
+- k8s.io/code-generator => k8s.io/code-generator v0.27.8
+- k8s.io/component-base => k8s.io/component-base v0.27.8
+- k8s.io/component-helpers => k8s.io/component-helpers v0.27.8
+- k8s.io/controller-manager => k8s.io/controller-manager v0.27.8
+- k8s.io/cri-api => k8s.io/cri-api v0.27.8
+- k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.27.8
+- k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.27.8
+- k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.27.8
+- k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.27.8
+- k8s.io/kube-proxy => k8s.io/kube-proxy v0.27.8
+- k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.27.8
+- k8s.io/kubectl => k8s.io/kubectl v0.27.8
+- k8s.io/kubelet => k8s.io/kubelet v0.27.8
+- k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.27.8
+- k8s.io/metrics => k8s.io/metrics v0.27.8
+- k8s.io/mount-utils => k8s.io/mount-utils v0.27.8
+- k8s.io/node-api => k8s.io/node-api v0.27.8
+- k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.27.8
+- k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.27.8
+- k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.27.8
+- k8s.io/sample-controller => k8s.io/sample-controller v0.27.8
++ k8s.io/api => k8s.io/api v0.28.15
++ k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.15
++ k8s.io/apimachinery => k8s.io/apimachinery v0.28.15
++ k8s.io/apiserver => k8s.io/apiserver v0.28.15
++ k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.15
++ k8s.io/client-go => k8s.io/client-go v0.28.15
++ k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.15
++ k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.15
++ k8s.io/code-generator => k8s.io/code-generator v0.28.15
++ k8s.io/component-base => k8s.io/component-base v0.28.15
++ k8s.io/component-helpers => k8s.io/component-helpers v0.28.15
++ k8s.io/controller-manager => k8s.io/controller-manager v0.28.15
++ k8s.io/cri-api => k8s.io/cri-api v0.28.15
++ k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.15
++ k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.28.15
++ k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.15
++ k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.15
++ k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.15
++ k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.15
++ k8s.io/kubectl => k8s.io/kubectl v0.28.15
++ k8s.io/kubelet => k8s.io/kubelet v0.28.15
++ k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.15
++ k8s.io/metrics => k8s.io/metrics v0.28.15
++ k8s.io/mount-utils => k8s.io/mount-utils v0.28.15
++ k8s.io/node-api => k8s.io/node-api v0.28.15
++ k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.15
++ k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.15
++ k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.15
++ k8s.io/sample-controller => k8s.io/sample-controller v0.28.15
+ )
From d18faa41a3c1e0a63bcd2036c5639e674c93d7f5 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 05:03:53 +0000
Subject: [PATCH 033/211] pulumi-language-yaml/1.12.0-r0: cve remediation
(#36788)
pulumi-language-yaml/1.12.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/pulumi-language-yaml.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
pulumi-language-yaml.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/pulumi-language-yaml.yaml b/pulumi-language-yaml.yaml
index a1698446fe5..266981635e1 100644
--- a/pulumi-language-yaml.yaml
+++ b/pulumi-language-yaml.yaml
@@ -1,7 +1,7 @@
package:
name: pulumi-language-yaml
version: 1.12.0
- epoch: 0
+ epoch: 1
description: Pulumi Language SDK for YAML
copyright:
- license: Apache-2.0
@@ -22,6 +22,11 @@ pipeline:
repository: https://github.com/pulumi/pulumi-yaml.git
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: pulumi-language-yaml
+
- pipeline:
- runs: |
set -x
From 0024f1483c1c37e1cee462bdac561cff32f9f688 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 05:04:08 +0000
Subject: [PATCH 034/211] goreleaser/2.4.8-r0: cve remediation (#36786)
goreleaser/2.4.8-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/goreleaser.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
goreleaser.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/goreleaser.yaml b/goreleaser.yaml
index 036840117c6..34ecc7f66b6 100644
--- a/goreleaser.yaml
+++ b/goreleaser.yaml
@@ -1,7 +1,7 @@
package:
name: goreleaser
version: 2.4.8
- epoch: 0
+ epoch: 1
description: Deliver Go binaries as fast and easily as possible
copyright:
- license: Apache-2.0
@@ -18,6 +18,11 @@ pipeline:
tag: v${{package.version}}
expected-commit: 377981ebd76e1bbb0dbe07d5428239ec8c5381a8
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
packages: .
From d3b87de14fcf7decab3200d4cb7badff5c2e70bd Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 05:04:21 +0000
Subject: [PATCH 035/211] q/0.19.2-r8: cve remediation (#36784)
q/0.19.2-r8: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/q.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
q.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/q.yaml b/q.yaml
index 80fab45e53a..f1003847d6e 100644
--- a/q.yaml
+++ b/q.yaml
@@ -1,7 +1,7 @@
package:
name: q
version: 0.19.2
- epoch: 8
+ epoch: 9
description: A tiny command line DNS client with support for UDP, TCP, DoT, DoH, DoQ and ODoH.
copyright:
- license: GPL-3.0-only
@@ -23,7 +23,7 @@ pipeline:
- uses: go/bump
with:
- deps: golang.org/x/crypto@v0.17.0 github.com/cloudflare/circl@v1.3.7 github.com/quic-go/quic-go@v0.42.0 golang.org/x/net@v0.23.0
+ deps: github.com/cloudflare/circl@v1.3.7 github.com/quic-go/quic-go@v0.42.0 golang.org/x/net@v0.23.0 golang.org/x/crypto@v0.31.0
- name: Configure and build
runs: |
From 525b6a4ae2e671cfbcb9ef625441f80f43c520b0 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 05:04:39 +0000
Subject: [PATCH 036/211] flux-helm-controller/1.1.0-r0: cve remediation
(#36781)
flux-helm-controller/1.1.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/flux-helm-controller.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
flux-helm-controller.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/flux-helm-controller.yaml b/flux-helm-controller.yaml
index 69e59e8bbe2..0d66842052c 100644
--- a/flux-helm-controller.yaml
+++ b/flux-helm-controller.yaml
@@ -1,7 +1,7 @@
package:
name: flux-helm-controller
version: 1.1.0
- epoch: 0
+ epoch: 1
description: The GitOps Toolkit Helm reconciler, for declarative Helming
copyright:
- license: Apache-2.0
@@ -24,7 +24,7 @@ pipeline:
- uses: go/bump
with:
- deps: oras.land/oras-go@v1.2.6
+ deps: oras.land/oras-go@v1.2.6 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From a6e7e0b16d0b2b3f6842824bd6e50bcd4580d7cf Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 05:04:53 +0000
Subject: [PATCH 037/211] kube-metrics-adapter/0.2.3-r2: cve remediation
(#36787)
kube-metrics-adapter/0.2.3-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kube-metrics-adapter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kube-metrics-adapter.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kube-metrics-adapter.yaml b/kube-metrics-adapter.yaml
index 9ed1d3cbf57..438324b5c89 100644
--- a/kube-metrics-adapter.yaml
+++ b/kube-metrics-adapter.yaml
@@ -1,7 +1,7 @@
package:
name: kube-metrics-adapter
version: 0.2.3
- epoch: 2
+ epoch: 3
description: General purpose metrics adapter for Kubernetes HPA metrics
copyright:
- license: MIT
@@ -15,7 +15,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/gomarkdown/markdown@v0.0.0-20240930133441-72d49d9543d8
+ deps: github.com/gomarkdown/markdown@v0.0.0-20240930133441-72d49d9543d8 golang.org/x/crypto@v0.31.0
modroot: .
- uses: go/build
From 773f13d95bac444e93ee03f44158abe115237fec Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:04:57 +0000
Subject: [PATCH 038/211] lazygit/0.44.1-r0: cve remediation (#36801)
lazygit/0.44.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/lazygit.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
lazygit.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lazygit.yaml b/lazygit.yaml
index 868f6fce706..d115144e3f9 100644
--- a/lazygit.yaml
+++ b/lazygit.yaml
@@ -1,7 +1,7 @@
package:
name: lazygit
version: 0.44.1
- epoch: 0
+ epoch: 1
description: simple terminal UI for git commands
copyright:
- license: MIT
@@ -24,7 +24,7 @@ pipeline:
- uses: go/bump
with:
- deps: golang.org/x/net@v0.23.0
+ deps: golang.org/x/net@v0.23.0 golang.org/x/crypto@v0.31.0
replaces: golang.org/x/net=golang.org/x/net@v0.23.0
- uses: go/build
From 958e5d0abf6b1ddc8065550f814e7beb46184142 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:05:12 +0000
Subject: [PATCH 039/211] nsc/2.10.0-r0: cve remediation (#36796)
nsc/2.10.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/nsc.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
nsc.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/nsc.yaml b/nsc.yaml
index 9d17c8e4d46..af3c1651450 100644
--- a/nsc.yaml
+++ b/nsc.yaml
@@ -1,7 +1,7 @@
package:
name: nsc
version: 2.10.0
- epoch: 0
+ epoch: 1
description: Tool for creating nkey/jwt based configurations
copyright:
- license: Apache-2.0
@@ -13,6 +13,11 @@ pipeline:
tag: v${{package.version}}
expected-commit: ce4b0540970b221460e0dcfaafaa7865e33f6fd2
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
packages: .
From fff6bae3fc1b790e171b0eede468a4d70cf0fc80 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:05:26 +0000
Subject: [PATCH 040/211] istio-1.24/1.24.1-r0: cve remediation (#36797)
istio-1.24/1.24.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/istio-1.24.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
istio-1.24.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/istio-1.24.yaml b/istio-1.24.yaml
index 4c1c84ee67c..7549c58dd53 100644
--- a/istio-1.24.yaml
+++ b/istio-1.24.yaml
@@ -1,7 +1,7 @@
package:
name: istio-1.24
version: 1.24.1
- epoch: 0
+ epoch: 1
description: Istio is an open source service mesh that layers transparently onto existing distributed applications.
copyright:
- license: Apache-2.0
@@ -28,6 +28,10 @@ pipeline:
tag: ${{package.version}}
expected-commit: 5c178358f9c61c50d3d6149a0b05a609a0d7defd
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
subpackages:
- name: istio-cni-${{vars.major-minor-version}}
pipeline:
From db533a75b179dfecf0efaee82f9c7823846b7dde Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:05:41 +0000
Subject: [PATCH 041/211] azuredisk-csi-1.31/1.31.1-r0: cve remediation
(#36793)
azuredisk-csi-1.31/1.31.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/azuredisk-csi-1.31.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
azuredisk-csi-1.31.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/azuredisk-csi-1.31.yaml b/azuredisk-csi-1.31.yaml
index 2e2b75d9f11..2390947b70e 100644
--- a/azuredisk-csi-1.31.yaml
+++ b/azuredisk-csi-1.31.yaml
@@ -1,7 +1,7 @@
package:
name: azuredisk-csi-1.31
version: 1.31.1
- epoch: 0
+ epoch: 1
description: Azure Disk CSI Driver
copyright:
- license: Apache-2.0
@@ -29,6 +29,10 @@ pipeline:
repository: https://github.com/kubernetes-sigs/azuredisk-csi-driver
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
ldflags: |
From 994069c5c306d2ad86bd2385f2c65fc13670ef56 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:05:56 +0000
Subject: [PATCH 042/211] loki-3.3/3.3.1-r0: cve remediation (#36791)
loki-3.3/3.3.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/loki-3.3.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
loki-3.3.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loki-3.3.yaml b/loki-3.3.yaml
index 2e91dafa7bf..5de0a6f2b48 100644
--- a/loki-3.3.yaml
+++ b/loki-3.3.yaml
@@ -1,7 +1,7 @@
package:
name: loki-3.3
version: 3.3.1
- epoch: 0
+ epoch: 1
description: Like Prometheus, but for logs.
copyright:
- license: AGPL-3.0-or-later
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- uses: autoconf/make
From ca26d46f6ebe5a11b6f77adb1da267e942ef5734 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:06:12 +0000
Subject: [PATCH 043/211] ko/0.17.1-r1: cve remediation (#36799)
ko/0.17.1-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/ko.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
ko.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ko.yaml b/ko.yaml
index 3ef0c43d3a4..4d57b2431e9 100644
--- a/ko.yaml
+++ b/ko.yaml
@@ -1,7 +1,7 @@
package:
name: ko
version: 0.17.1
- epoch: 1
+ epoch: 2
description: Simple, fast container image builder for Go applications.
copyright:
- license: Apache-2.0
@@ -25,7 +25,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
modroot: ko
- uses: go/build
From 8bc7ae64354304fc5a037f79ac1d0f4b67d53fc3 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:06:26 +0000
Subject: [PATCH 044/211] k8sgpt/0.3.48-r0: cve remediation (#36794)
k8sgpt/0.3.48-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/k8sgpt.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
k8sgpt.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/k8sgpt.yaml b/k8sgpt.yaml
index 32d01eaed5a..97fe74bbc82 100644
--- a/k8sgpt.yaml
+++ b/k8sgpt.yaml
@@ -1,7 +1,7 @@
package:
name: k8sgpt
version: 0.3.48
- epoch: 0
+ epoch: 1
description: Giving Kubernetes Superpowers to everyone
copyright:
- license: Apache-2.0
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/open-policy-agent/opa@v0.68.0
+ deps: github.com/open-policy-agent/opa@v0.68.0 golang.org/x/crypto@v0.31.0
- runs: |
make tidy
From 7e1b69385a1853961e659d10ab45202083985d38 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:06:46 +0000
Subject: [PATCH 045/211] flux-image-reflector-controller/0.33.0-r2: cve
remediation (#36795)
flux-image-reflector-controller/0.33.0-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/flux-image-reflector-controller.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
flux-image-reflector-controller.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/flux-image-reflector-controller.yaml b/flux-image-reflector-controller.yaml
index 172cc51d07e..a1e651a85cb 100644
--- a/flux-image-reflector-controller.yaml
+++ b/flux-image-reflector-controller.yaml
@@ -1,7 +1,7 @@
package:
name: flux-image-reflector-controller
version: 0.33.0
- epoch: 2
+ epoch: 3
description: GitOps Toolkit controller that scans container registries
copyright:
- license: Apache-2.0
@@ -24,7 +24,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 12c4c4fada352dae797ec1d6f80060610635c5c1 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:07:06 +0000
Subject: [PATCH 046/211] crossplane-provider-gcp/1.11.0-r0: cve remediation
(#36792)
crossplane-provider-gcp/1.11.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/crossplane-provider-gcp.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
crossplane-provider-gcp.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/crossplane-provider-gcp.yaml b/crossplane-provider-gcp.yaml
index 85ccc81aa69..d235abc99be 100644
--- a/crossplane-provider-gcp.yaml
+++ b/crossplane-provider-gcp.yaml
@@ -1,7 +1,7 @@
package:
name: crossplane-provider-gcp
version: 1.11.0
- epoch: 0
+ epoch: 1
description: Official GCP Provider for Crossplane by Upbound
copyright:
- license: Apache-2.0
@@ -32,6 +32,10 @@ pipeline:
expected-commit: b2f928499b2dd0dfea778e027012349f86faec6d
recurse-submodules: true
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
# `make` downloads `up`, unless we move our prebuilt `up` to where it expects it.
GOARCH=$(go env GOARCH)
From 9f49b4abd109251263676b6aa56387bdbfcae492 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:04:09 +0000
Subject: [PATCH 047/211] rabbitmq-messaging-topology-operator/1.15.0-r0: cve
remediation (#36810)
rabbitmq-messaging-topology-operator/1.15.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/rabbitmq-messaging-topology-operator.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
rabbitmq-messaging-topology-operator.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/rabbitmq-messaging-topology-operator.yaml b/rabbitmq-messaging-topology-operator.yaml
index e740ce8e13f..b1a3bd19409 100644
--- a/rabbitmq-messaging-topology-operator.yaml
+++ b/rabbitmq-messaging-topology-operator.yaml
@@ -1,7 +1,7 @@
package:
name: rabbitmq-messaging-topology-operator
version: 1.15.0
- epoch: 0
+ epoch: 1
description: Open source RabbitMQ cluster operator. Kubernetes operator to deploy and manage RabbitMQ clusters.
copyright:
- license: MPL-2.0
@@ -24,6 +24,10 @@ pipeline:
repository: https://github.com/rabbitmq/messaging-topology-operator
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
output: manager
From 74480e66ea42fc674a7b06386fcdf058b50b7f37 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:04:23 +0000
Subject: [PATCH 048/211] promxy/0.0.91-r1: cve remediation (#36806)
promxy/0.0.91-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/promxy.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
promxy.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/promxy.yaml b/promxy.yaml
index d47c0b346a4..ca57a964c52 100644
--- a/promxy.yaml
+++ b/promxy.yaml
@@ -1,7 +1,7 @@
package:
name: promxy
version: 0.0.91
- epoch: 1
+ epoch: 2
description: An aggregating proxy to enable HA prometheus.
copyright:
- license: MIT
@@ -18,7 +18,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 101778145b6bfb31d6a193e3d6db7eb556da6d67 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:04:38 +0000
Subject: [PATCH 049/211] k6/0.55.0-r0: cve remediation (#36803)
k6/0.55.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/k6.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
k6.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/k6.yaml b/k6.yaml
index ef6d3924487..56e4c5ec2ed 100644
--- a/k6.yaml
+++ b/k6.yaml
@@ -1,7 +1,7 @@
package:
name: k6
version: 0.55.0
- epoch: 0
+ epoch: 1
description: A modern load testing tool, using Go and JavaScript
copyright:
- license: AGPL-3.0-or-later
@@ -22,6 +22,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 90bb9415d0724355e93eb276624d25394751d54d
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From 259cd57566e4828adfef80fba25ff05a5614c651 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:04:51 +0000
Subject: [PATCH 050/211] gitaly-17.6/17.6.2-r0: cve remediation (#36807)
gitaly-17.6/17.6.2-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/gitaly-17.6.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
gitaly-17.6.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/gitaly-17.6.yaml b/gitaly-17.6.yaml
index d9c921766ab..e3a69d81701 100644
--- a/gitaly-17.6.yaml
+++ b/gitaly-17.6.yaml
@@ -1,7 +1,7 @@
package:
name: gitaly-17.6
version: 17.6.2
- epoch: 0
+ epoch: 1
description:
copyright:
- license: MIT
@@ -38,6 +38,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: d06e4074586fd7760f55ab0080d5c74fc735d25f
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make install DESTDIR="${{targets.destdir}}" PREFIX=/usr
From 24074a0893b7821aebd29c5fd838e34005289981 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:05:12 +0000
Subject: [PATCH 051/211] prometheus-stackdriver-exporter/0.17.0-r0: cve
remediation (#36808)
prometheus-stackdriver-exporter/0.17.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-stackdriver-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-stackdriver-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-stackdriver-exporter.yaml b/prometheus-stackdriver-exporter.yaml
index 46ec3ae5c73..745ce0e863a 100644
--- a/prometheus-stackdriver-exporter.yaml
+++ b/prometheus-stackdriver-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-stackdriver-exporter
version: 0.17.0
- epoch: 0
+ epoch: 1
description: Google Stackdriver Prometheus exporter
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 15981bb0a405aaada894c7805ed8365fbd8b43ea
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make common-build
From 42a9eaa6fbfc823edb8220b8d61eb06110c8425d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:05:24 +0000
Subject: [PATCH 052/211] envoy-gateway/1.2.4 package update (#36802)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
envoy-gateway.yaml | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/envoy-gateway.yaml b/envoy-gateway.yaml
index f65e74b4745..4b5bd4e9589 100644
--- a/envoy-gateway.yaml
+++ b/envoy-gateway.yaml
@@ -1,7 +1,7 @@
package:
name: envoy-gateway
- version: 1.2.3
- epoch: 1
+ version: 1.2.4
+ epoch: 0
description: Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
copyright:
- license: Apache-2.0
@@ -14,14 +14,10 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: 9fe25ce67e12e07ae6849a61d24ae0572aead970
+ expected-commit: 6ca4fe3c5f9f734b748d85da46f6d790c0377c86
repository: https://github.com/envoyproxy/gateway
tag: v${{package.version}}
- - uses: go/bump
- with:
- deps: golang.org/x/crypto@v0.31.0
-
- uses: go/build
with:
packages: ./cmd/envoy-gateway
From c6fd8cfc367fdbb857571c8faaf539e8a33776d4 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 07:05:40 +0000
Subject: [PATCH 053/211] tfsec/1.28.11-r0: cve remediation (#36804)
tfsec/1.28.11-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tfsec.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tfsec.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tfsec.yaml b/tfsec.yaml
index a059188b17d..a7cea6c5a2f 100644
--- a/tfsec.yaml
+++ b/tfsec.yaml
@@ -1,7 +1,7 @@
package:
name: tfsec
version: 1.28.11
- epoch: 0
+ epoch: 1
description: Security scanner for your Terraform code
copyright:
- license: MIT
@@ -22,6 +22,10 @@ pipeline:
repository: https://github.com/aquasecurity/tfsec
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/tfsec
From 0f147b32a3c7cbef9cd2b8db9c5e785c74037faf Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:04:47 +0000
Subject: [PATCH 054/211] mongo-tools/100.10.0-r3: cve remediation (#36817)
mongo-tools/100.10.0-r3: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/mongo-tools.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
mongo-tools.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mongo-tools.yaml b/mongo-tools.yaml
index 311ccfdc25c..c8f23cc7f9d 100644
--- a/mongo-tools.yaml
+++ b/mongo-tools.yaml
@@ -1,7 +1,7 @@
package:
name: mongo-tools
version: 100.10.0
- epoch: 3
+ epoch: 4
description: Tools for MongoDB
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: ${{package.version}}
expected-commit: 6d4f001be3fcf673de04d20176e90ee02ef233a9
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: patch
with:
patches: release-platform.patch
From 87b0545d1abcda8f30adde45e8243c40c9217f9a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:05:03 +0000
Subject: [PATCH 055/211] kubescape/3.0.22-r0: cve remediation (#36813)
kubescape/3.0.22-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kubescape.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kubescape.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kubescape.yaml b/kubescape.yaml
index 7b7e2744621..f2d963ff99c 100644
--- a/kubescape.yaml
+++ b/kubescape.yaml
@@ -1,7 +1,7 @@
package:
name: kubescape
version: 3.0.22
- epoch: 0
+ epoch: 1
description: Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
copyright:
- license: Apache-2.0 AND MIT
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/mholt/archiver/v3@v3.5.2
+ deps: github.com/mholt/archiver/v3@v3.5.2 golang.org/x/crypto@v0.31.0
replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/v3@v3.5.2
- runs: |
From a3dcf838db3fdbc6e5ab691a00fc98456b59fe49 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:05:18 +0000
Subject: [PATCH 056/211] bank-vaults/1.20.4-r20: cve remediation (#36814)
bank-vaults/1.20.4-r20: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/bank-vaults.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
bank-vaults.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bank-vaults.yaml b/bank-vaults.yaml
index a1b358427d2..b47bb44d951 100644
--- a/bank-vaults.yaml
+++ b/bank-vaults.yaml
@@ -1,7 +1,7 @@
package:
name: bank-vaults
version: 1.20.4
- epoch: 20
+ epoch: 21
description: A Vault swiss-army knife. A CLI tool to init, unseal and configure Vault (auth methods, secret engines).
copyright:
- license: Apache-2.0
@@ -25,7 +25,7 @@ pipeline:
- uses: go/bump
with:
# CVE-2023-39325 and CVE-2023-3978
- deps: google.golang.org/grpc@v1.56.3 golang.org/x/crypto@v0.17.0 github.com/go-jose/go-jose/v3@v3.0.3 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: google.golang.org/grpc@v1.56.3 github.com/go-jose/go-jose/v3@v3.0.3 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/v3@v3.0.3
- uses: go/build
From eff5d26639fd4a49545ea4522e58e81abcb919ee Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:05:37 +0000
Subject: [PATCH 057/211] src/5.10.0-r0: cve remediation (#36816)
src/5.10.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/src.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
src.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src.yaml b/src.yaml
index 76e24db61d4..550373df129 100644
--- a/src.yaml
+++ b/src.yaml
@@ -1,7 +1,7 @@
package:
name: src
version: 5.10.0
- epoch: 0
+ epoch: 1
description: Sourcegraph CLI
copyright:
- license: Apache-2.0
@@ -29,7 +29,7 @@ pipeline:
with:
# The replacement must run before the initial tidy, otherwise the repo resolution fails and so does the build. The build will run tidy.
skip-initial-tidy: true
- deps: github.com/golang/protobuf@v1.5.4 k8s.io/api@v0.27.13 k8s.io/apimachinery@v0.27.13 k8s.io/client-go@v0.27.13 k8s.io/metrics@v0.27.13
+ deps: github.com/golang/protobuf@v1.5.4 k8s.io/api@v0.27.13 k8s.io/apimachinery@v0.27.13 k8s.io/client-go@v0.27.13 k8s.io/metrics@v0.27.13 golang.org/x/crypto@v0.31.0
replaces: github.com/sourcegraph/sourcegraph/lib=github.com/sourcegraph/sourcegraph-public-snapshot/lib@v0.0.0-20240709083501-1af563b61442
- uses: go/build
From eaff3952ced947537b5ca6ee0e3ff859330c5e76 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:05:53 +0000
Subject: [PATCH 058/211] osv-scanner/1.9.1-r0: cve remediation (#36815)
osv-scanner/1.9.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/osv-scanner.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
osv-scanner.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/osv-scanner.yaml b/osv-scanner.yaml
index a78fc19bde2..2f1ca1b6bb7 100644
--- a/osv-scanner.yaml
+++ b/osv-scanner.yaml
@@ -1,7 +1,7 @@
package:
name: osv-scanner
version: 1.9.1
- epoch: 0
+ epoch: 1
description: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
copyright:
- license: Apache-2.0
@@ -20,6 +20,10 @@ pipeline:
tag: v${{package.version}}
repository: https://github.com/google/osv-scanner
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/osv-scanner/
From a544dfc1ac142410bfb00d940ed264c6a8fc4f38 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:06:14 +0000
Subject: [PATCH 059/211] prometheus-pushgateway/1.10.0-r0: cve remediation
(#36812)
prometheus-pushgateway/1.10.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-pushgateway.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-pushgateway.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-pushgateway.yaml b/prometheus-pushgateway.yaml
index 8294bc0f715..742fb9c93ab 100644
--- a/prometheus-pushgateway.yaml
+++ b/prometheus-pushgateway.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-pushgateway
version: 1.10.0
- epoch: 0
+ epoch: 1
description: Push acceptor for ephemeral and batch jobs.
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 17dd0704c6595396b8ca2550884bd9f0d66990bb
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make build
From f6f5580973cae22dd0cf696504b6cbbd8514fb75 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:04:03 +0000
Subject: [PATCH 060/211] terraform-provider-azurerm/4.14.0 package update
(#36829)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
terraform-provider-azurerm.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/terraform-provider-azurerm.yaml b/terraform-provider-azurerm.yaml
index 821b7a89e83..12e60cb40c5 100644
--- a/terraform-provider-azurerm.yaml
+++ b/terraform-provider-azurerm.yaml
@@ -1,7 +1,7 @@
package:
name: terraform-provider-azurerm
- version: 4.13.0
- epoch: 1
+ version: 4.14.0
+ epoch: 0
description: Terraform provider for Azure Resource Manager
copyright:
- license: MPL-2.0
@@ -14,7 +14,7 @@ package:
pipeline:
- uses: git-checkout
with:
- expected-commit: f80cef460500b7c344bcb180112840fc373e295c
+ expected-commit: 36996bc68a4a4b80f65338f2066070426abf8551
repository: https://github.com/hashicorp/terraform-provider-azurerm
tag: v${{package.version}}
From 485ef8828891f9969b557fdab5b0573fd879e2ed Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:04:19 +0000
Subject: [PATCH 061/211] go-licenses/1.6.0-r16: cve remediation (#36825)
go-licenses/1.6.0-r16: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/go-licenses.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
go-licenses.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/go-licenses.yaml b/go-licenses.yaml
index 87923798f8f..03ceb76fe47 100644
--- a/go-licenses.yaml
+++ b/go-licenses.yaml
@@ -1,7 +1,7 @@
package:
name: go-licenses
version: 1.6.0
- epoch: 16
+ epoch: 17
description: A lightweight tool to report on the licenses used by a Go package and its dependencies. Highlight! Versioned external URL to licenses can be found at the same time.
copyright:
- license: Apache-2.0
@@ -19,7 +19,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/cloudflare/circl@v1.3.7 golang.org/x/net@v0.23.0
+ deps: github.com/cloudflare/circl@v1.3.7 golang.org/x/net@v0.23.0 golang.org/x/crypto@v0.31.0
modroot: .
- uses: go/build
From 3b5c83d8dbaded2302f63b3b9d045503d4fa6cc9 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:04:32 +0000
Subject: [PATCH 062/211] tekton-chains/0.23.0-r0: cve remediation (#36823)
tekton-chains/0.23.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tekton-chains.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tekton-chains.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tekton-chains.yaml b/tekton-chains.yaml
index fb381ab7ab9..bad15d3f80c 100644
--- a/tekton-chains.yaml
+++ b/tekton-chains.yaml
@@ -1,7 +1,7 @@
package:
name: tekton-chains
version: 0.23.0
- epoch: 0
+ epoch: 1
description: Supply Chain Security in Tekton Pipelines
copyright:
- license: Apache-2.0
@@ -19,7 +19,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From c1b2bcb9288057ff023d22c58f47a535efec9397 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:04:47 +0000
Subject: [PATCH 063/211] fq/0.13.0-r0: cve remediation (#36824)
fq/0.13.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/fq.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
fq.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fq.yaml b/fq.yaml
index 09998d36af3..0dc196b09c7 100644
--- a/fq.yaml
+++ b/fq.yaml
@@ -1,7 +1,7 @@
package:
name: fq
version: 0.13.0
- epoch: 0
+ epoch: 1
description: "jq for binary formats - tool, language and decoders for working with binary and text formats"
copyright:
- license: MIT
@@ -13,6 +13,11 @@ pipeline:
tag: v${{package.version}}
expected-commit: 9857323e5d21655a087831791162410e04edb9cc
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
packages: ./
From 11b639492b1c0b57a3a824ba87b8a352ac6004e8 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:05:00 +0000
Subject: [PATCH 064/211] minio/0.20241107.005220-r0: cve remediation (#36821)
minio/0.20241107.005220-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/minio.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
minio.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/minio.yaml b/minio.yaml
index c17d63b9fcb..6958136f0cd 100644
--- a/minio.yaml
+++ b/minio.yaml
@@ -1,7 +1,7 @@
package:
name: minio
version: 0.20241107.005220
- epoch: 0
+ epoch: 1
description: Multi-Cloud Object Storage
copyright:
- license: AGPL-3.0-or-later
@@ -28,6 +28,10 @@ pipeline:
tag: ${{vars.mangled-package-version}}
expected-commit: cefc43e4daa4cbb490ef6726ea374e26a93eb85e
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make build
mkdir -p ${{targets.destdir}}/usr/bin
From 602273d352a8baa4ebc032ab9babbff2bb871935 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:05:13 +0000
Subject: [PATCH 065/211] local-path-provisioner/0.0.30-r0: cve remediation
(#36820)
local-path-provisioner/0.0.30-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/local-path-provisioner.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
local-path-provisioner.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/local-path-provisioner.yaml b/local-path-provisioner.yaml
index 3a9f435e5f8..9d4c43a4ff4 100644
--- a/local-path-provisioner.yaml
+++ b/local-path-provisioner.yaml
@@ -1,7 +1,7 @@
package:
name: local-path-provisioner
version: 0.0.30
- epoch: 0
+ epoch: 1
description: Dynamically provisioning persistent local storage with Kubernetes
copyright:
- license: Apache-2.0
@@ -25,6 +25,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: c4fdcada94c2e632cd7d9231e73406d554eb40e2
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From 61f7269db8ddb472dd4b1c067756c29b0cf5c31d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:05:32 +0000
Subject: [PATCH 066/211] gatekeeper-3.17/3.17.1-r3: cve remediation (#36819)
gatekeeper-3.17/3.17.1-r3: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/gatekeeper-3.17.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
gatekeeper-3.17.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gatekeeper-3.17.yaml b/gatekeeper-3.17.yaml
index 11f447abc66..ea6df47a2d6 100644
--- a/gatekeeper-3.17.yaml
+++ b/gatekeeper-3.17.yaml
@@ -1,7 +1,7 @@
package:
name: gatekeeper-3.17
version: 3.17.1
- epoch: 3
+ epoch: 4
description: Gatekeeper - Policy Controller for Kubernetes
copyright:
- license: Apache-2.0
@@ -28,7 +28,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/open-policy-agent/opa@v0.68.0
+ deps: github.com/open-policy-agent/opa@v0.68.0 golang.org/x/crypto@v0.31.0
- runs: |
FRAMEWORKS_VERSION=$(go list -f '{{ .Version }}' -m github.com/open-policy-agent/frameworks/constraint)
From 6848a0345eab161fe98304b57e168dbf69f41edf Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:05:47 +0000
Subject: [PATCH 067/211] kube-state-metrics/2.14.0-r0: cve remediation
(#36826)
kube-state-metrics/2.14.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kube-state-metrics.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kube-state-metrics.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kube-state-metrics.yaml b/kube-state-metrics.yaml
index 901dc250402..45343d6ed75 100644
--- a/kube-state-metrics.yaml
+++ b/kube-state-metrics.yaml
@@ -1,7 +1,7 @@
package:
name: kube-state-metrics
version: 2.14.0
- epoch: 0
+ epoch: 1
description: Add-on agent to generate and expose cluster-level metrics.
copyright:
- license: Apache-2.0
@@ -23,7 +23,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/emicklei/go-restful/v3@v3.11.3
+ deps: github.com/emicklei/go-restful/v3@v3.11.3 golang.org/x/crypto@v0.31.0
modroot: .
- runs: |
From deb69553b146247247462eda71b1232c6b978521 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 09:08:49 +0000
Subject: [PATCH 068/211] Delete VersionStream for kubernetes-1.31 (#36822)
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kubernetes-1.31.yaml | 274 -------------------------------------------
1 file changed, 274 deletions(-)
delete mode 100644 kubernetes-1.31.yaml
diff --git a/kubernetes-1.31.yaml b/kubernetes-1.31.yaml
deleted file mode 100644
index d053342f198..00000000000
--- a/kubernetes-1.31.yaml
+++ /dev/null
@@ -1,274 +0,0 @@
-package:
- name: kubernetes-1.31
- version: 1.31.4
- epoch: 0
- description: Production-Grade Container Scheduling and Management
- copyright:
- - license: Apache-2.0
- dependencies:
- provides:
- - kubernetes=${{package.full-version}}
-
-environment:
- contents:
- packages:
- - bash
- - build-base
- - busybox
- - ca-certificates-bundle
- - coreutils # needed for non busybox version of `mktemp`
- - findutils # needed for non busybox version of `xargs`
- - go
- - go-bindata
- - grep
- - jq
- - libcap-utils
- - linux-headers
- - openssf-compiler-options
- - rsync
-
-var-transforms:
- - from: ${{package.name}}
- match: '.*-(\d+\.\d+).*'
- replace: '$1'
- to: kubernetes-version
-
-vars:
- components: "kubectl kubeadm kubelet kube-scheduler kube-proxy kube-controller-manager kube-apiserver"
-
-pipeline:
- - uses: git-checkout
- with:
- repository: https://github.com/kubernetes/kubernetes
- tag: v${{package.version}}
- expected-commit: a78aa47129b8539636eb86a9d00e31b2720fe06b
-
- - runs: |
- export GOWORK=off
-
- - uses: go/bump
- with:
- deps: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@v0.46.1 github.com/opencontainers/runc@v1.1.14
-
- - runs: |
- # Use our Go version instead of downloading another one
- export FORCE_HOST_GO=true
- export KUBE_GIT_TREE_STATE=clean
-
- WHAT=""
- for c in ${{vars.components}} ; do
- WHAT="$WHAT cmd/$c"
- done
-
- make WHAT="$WHAT"
-
- - runs: |
- # We apply cap_net_bind_service so that kube-apiserver can be run as
- # non-root and still listen on port less than 1024
- setcap cap_net_bind_service=+ep _output/bin/kube-apiserver
-
- - runs: |
- mkdir -p "${{targets.destdir}}"/usr/bin/
- install -m755 _output/bin/* ${{targets.destdir}}/usr/bin/
-
- mkdir -p "${{targets.destdir}}"/etc/kubernetes
-
-subpackages:
- - name: kubectl-${{vars.kubernetes-version}}
- description: A command line tool for communicating with a Kubernetes API server
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kubectl ${{targets.subpkgdir}}/usr/bin/kubectl-${{vars.kubernetes-version}}
-
- - name: kubectl-bash-completion-${{vars.kubernetes-version}}
- dependencies:
- runtime:
- - kubectl-${{vars.kubernetes-version}}
- pipeline:
- - runs: |
- mkdir -p "${{targets.subpkgdir}}"/usr/share/bash-completion/completions
- _output/bin/kubectl completion bash > "${{targets.subpkgdir}}"/usr/share/bash-completion/completions/kubectl-${{vars.kubernetes-version}}
-
- - name: kubectl-${{vars.kubernetes-version}}-bitnami-compat
- description: "compat package with bitnami/kubectl image"
- dependencies:
- provides:
- - kubectl-bitnami-compat=${{package.full-version}}
- runtime:
- - bash
- - busybox
- - coreutils
- - yq
- pipeline:
- - runs: |
- mkdir -p "${{targets.subpkgdir}}/opt/bitnami/kubectl/bin"
- ln -s /usr/bin/kubectl "${{targets.subpkgdir}}/opt/bitnami/kubectl/bin/kubectl"
- mkdir -p "${{targets.subpkgdir}}/opt/bitnami/common/bin"
- ln -s /usr/bin/yq "${{targets.subpkgdir}}/opt/bitnami/common/bin/yq"
-
- - name: kubeadm-${{vars.kubernetes-version}}
- description: A tool for quickly installing Kubernetes and setting up a secure cluster
- dependencies:
- runtime:
- - iproute2
- - socat
- - ethtool
- - conntrack-tools
- - crictl
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kubeadm ${{targets.subpkgdir}}/usr/bin/kubeadm-${{vars.kubernetes-version}}
-
- mkdir -p "${{targets.subpkgdir}}"/usr/share/bash-completion/completions
- _output/bin/kubeadm completion bash > "${{targets.subpkgdir}}"/usr/share/bash-completion/completions/kubeadm
-
- - name: kubelet-${{vars.kubernetes-version}}
- description: An agent that runs on each node in a Kubernetes cluster making sure that containers are running in a Pod
- dependencies:
- runtime:
- - ip6tables
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kubelet ${{targets.subpkgdir}}/usr/bin/kubelet-${{vars.kubernetes-version}}
-
- install -d ${{targets.subpkgdir}}/var/lib/kubelet
- install -d ${{targets.subpkgdir}}/var/log/kubelet
-
- - name: kube-scheduler-${{vars.kubernetes-version}}
- description: Kubernetes control plane component watching over pods on nodes
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kube-scheduler ${{targets.subpkgdir}}/usr/bin/kube-scheduler-${{vars.kubernetes-version}}
-
- install -d ${{targets.subpkgdir}}/var/log/kube-scheduler
-
- - name: kube-proxy-${{vars.kubernetes-version}}
- description: Kubernetes network proxy that runs on each node
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kube-proxy ${{targets.subpkgdir}}/usr/bin/kube-proxy-${{vars.kubernetes-version}}
-
- install -d ${{targets.subpkgdir}}/var/lib/kube-proxy
- install -d ${{targets.subpkgdir}}/var/log/kube-proxy
-
- - name: kube-controller-manager-${{vars.kubernetes-version}}
- description: Kubernetes control plane component that runs controller processes
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kube-controller-manager ${{targets.subpkgdir}}/usr/bin/kube-controller-manager-${{vars.kubernetes-version}}
-
- install -d ${{targets.subpkgdir}}/var/log/kube-controller-manager
-
- - name: kube-apiserver-${{vars.kubernetes-version}}
- description: Kubernetes control plane component exposing the Kubernetes API
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- install -m755 _output/bin/kube-apiserver ${{targets.subpkgdir}}/usr/bin/kube-apiserver-${{vars.kubernetes-version}}
-
- install -d ${{targets.subpkgdir}}/var/log/kube-apiserver
-
- - name: kubernetes-pause-${{vars.kubernetes-version}}
- dependencies:
- provides:
- - kubernetes-pause=${{vars.kubernetes-version}}
- pipeline:
- - working-directory: /home/build/build/pause
- runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin/
- CFLAGS="$CFLAGS -static -DVERSION=v$(grep '^TAG ?=' Makefile | awk '{print $3}')-${{package.version}}"
- gcc ${CFLAGS} -o "${{targets.subpkgdir}}"/usr/bin/pause linux/pause.c
- test:
- pipeline:
- - name: kubernetes pause version check
- runs: /usr/bin/pause -V
-
- - name: kubernetes-pause-compat-${{vars.kubernetes-version}}
- description: kubernetes-pause compatibility package
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/
- ln -sf /usr/bin/pause ${{targets.subpkgdir}}/pause
-
- - range: components
- name: "${{range.key}}-${{vars.kubernetes-version}}-default"
- description: "Makes this version of ${{range.key}} the default."
- dependencies:
- runtime:
- - ${{range.key}}-${{vars.kubernetes-version}}
- provides:
- - ${{range.key}}-default=${{vars.kubernetes-version}}
- - ${{range.key}}=${{vars.kubernetes-version}}
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/bin
- ln -s ${{range.key}}-${{vars.kubernetes-version}} ${{targets.subpkgdir}}/usr/bin/${{range.key}}
-
- - name: kube-proxy-${{vars.kubernetes-version}}-default-compat
- description: kube-proxy-default compatibility package
- pipeline:
- - runs: |
- mkdir -p ${{targets.subpkgdir}}/usr/local/bin
- ln -sf /usr/bin/kube-proxy-${{vars.kubernetes-version}} ${{targets.subpkgdir}}/usr/local/bin/kube-proxy
- test:
- pipeline:
- - runs: stat /usr/local/bin/kube-proxy
-
- - name: kubernetes-${{vars.kubernetes-version}}-default
- description: "Compatibility package to set ${{vars.kubernetes-version}} as the default kubernetes, and add packages to their shortened path"
- dependencies:
- runtime:
- - kubectl-${{vars.kubernetes-version}}-default
- - kubeadm-${{vars.kubernetes-version}}-default
- - kubelet-${{vars.kubernetes-version}}-default
- - kube-scheduler-${{vars.kubernetes-version}}-default
- - kube-proxy-${{vars.kubernetes-version}}-default
- - kube-proxy-${{vars.kubernetes-version}}-default-compat
- - kube-controller-manager-${{vars.kubernetes-version}}-default
- - kube-apiserver-${{vars.kubernetes-version}}-default
- checks:
- disabled:
- - empty
-
-data:
- - name: components
- items:
- # Only the keys matter
- kubectl:
- kubeadm:
- kubelet:
- kube-scheduler:
- kube-proxy:
- kube-controller-manager:
- kube-apiserver:
-
-update:
- enabled: true
- github:
- identifier: kubernetes/kubernetes
- strip-prefix: v
- tag-filter: v1.31.
-
-test:
- pipeline:
- # AUTOGENERATED
- - runs: |
- kube-apiserver --version
- kube-controller-manager --version
- kube-proxy --version
- kube-scheduler --version
- kubeadm --help
- kubectl --help
- kubelet --version
- kube-apiserver --help
- kube-controller-manager --help
- kube-proxy --help
- kube-scheduler --help
- kubeadm version
- kubelet --help
From 5ef3d57241bcc542040fe1e949e1fb218d35bd17 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 10:03:56 +0000
Subject: [PATCH 069/211] grpc-health-probe/0.4.35-r0: cve remediation (#36830)
grpc-health-probe/0.4.35-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/grpc-health-probe.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
grpc-health-probe.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grpc-health-probe.yaml b/grpc-health-probe.yaml
index d2589e733da..e050c33e3a4 100644
--- a/grpc-health-probe.yaml
+++ b/grpc-health-probe.yaml
@@ -2,7 +2,7 @@ package:
name: grpc-health-probe
version: 0.4.35
# bump to epoch 1 when 0.4.29 is released
- epoch: 0
+ epoch: 1
description: A command-line tool to perform health-checks for gRPC applications in Kubernetes and elsewhere
copyright:
- license: Apache-2.0
@@ -24,6 +24,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 0d66e8ae39ccdf7a5c22f584560692ca5cf930af
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From 7c382c2707adaefd38bfa31ada5dac19605cde7b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 10:21:36 +0000
Subject: [PATCH 070/211] rancher-webhook-0.5/0.5.4-r0: cve remediation
(#36805)
rancher-webhook-0.5/0.5.4-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/rancher-webhook-0.5.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
rancher-webhook-0.5.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rancher-webhook-0.5.yaml b/rancher-webhook-0.5.yaml
index ad8698faa18..03e90f9b85e 100644
--- a/rancher-webhook-0.5.yaml
+++ b/rancher-webhook-0.5.yaml
@@ -1,7 +1,7 @@
package:
name: rancher-webhook-0.5
version: 0.5.4
- epoch: 0
+ epoch: 1
description: Rancher webhook for Kubernetes
copyright:
- license: Apache-2.0
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: k8s.io/kubernetes@v1.30.3 k8s.io/apiserver@v0.30.3
+ deps: k8s.io/kubernetes@v1.30.3 k8s.io/apiserver@v0.30.3 golang.org/x/crypto@v0.31.0
modroot: .
- uses: go/build
From 0dbe050b85c4f82b236a089c1732ff7f0b531155 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:03:25 +0000
Subject: [PATCH 071/211] docker-compose/2.32.0 package update (#36844)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
docker-compose.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 2c4d1fd6e5e..abd27cc1180 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,6 +1,6 @@
package:
name: docker-compose
- version: 2.31.0
+ version: 2.32.0
epoch: 0
description: Define and run multi-container applications with Docker
copyright:
@@ -28,7 +28,7 @@ pipeline:
with:
repository: https://github.com/docker/compose
tag: v${{package.version}}
- expected-commit: a8469db83f514a5abe4681c7fee773061f1941c6
+ expected-commit: a20b69ac5b860f1aa270519e4d02207246d7cb6b
- runs: |
mkdir -p ${{targets.destdir}}/usr/bin
From 5fd5a1d4d86b3a2499fa8b0ebf4d8b2671fceb9c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:03:39 +0000
Subject: [PATCH 072/211] prometheus-statsd-exporter/0.28.0-r0: cve remediation
(#36840)
prometheus-statsd-exporter/0.28.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-statsd-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-statsd-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-statsd-exporter.yaml b/prometheus-statsd-exporter.yaml
index 4987842c71c..9b7aafe64f1 100644
--- a/prometheus-statsd-exporter.yaml
+++ b/prometheus-statsd-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-statsd-exporter
version: 0.28.0
- epoch: 0
+ epoch: 1
description: StatsD exporter for Prometheus
copyright:
- license: Apache-2.0
@@ -21,6 +21,10 @@ pipeline:
expected-commit: c0a390a2c43f77863278615b47d46e886bdca726
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make common-build
From 8bf0687bcd256024f031513ee09dceb5f3c8e30a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:03:56 +0000
Subject: [PATCH 073/211] skopeo/1.17.0-r0: cve remediation (#36841)
skopeo/1.17.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/skopeo.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
skopeo.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/skopeo.yaml b/skopeo.yaml
index 89ef6ef05e0..0f0a9084fb3 100644
--- a/skopeo.yaml
+++ b/skopeo.yaml
@@ -1,7 +1,7 @@
package:
name: skopeo
version: 1.17.0
- epoch: 0
+ epoch: 1
description: Work with remote images registries - retrieving information, images, signing content
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
repository: https://github.com/containers/skopeo
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/skopeo
From 622b633dd58e8b305b970c504ee988da7258b3ac Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:04:12 +0000
Subject: [PATCH 074/211] undock/0.8.0-r1: cve remediation (#36839)
undock/0.8.0-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/undock.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
undock.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/undock.yaml b/undock.yaml
index a439ab5cf4e..f96d4d5c0b2 100644
--- a/undock.yaml
+++ b/undock.yaml
@@ -1,7 +1,7 @@
package:
name: undock
version: 0.8.0
- epoch: 1
+ epoch: 2
description: Extract contents of a container image in a local folder
copyright:
- license: MIT
@@ -27,7 +27,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/docker/cli@v26.1.4 github.com/docker/docker@v26.1.5
+ deps: github.com/docker/cli@v26.1.4 github.com/docker/docker@v26.1.5 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 6047fa5c143210ff308efd8c7edd3d4b60012aed Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:04:32 +0000
Subject: [PATCH 075/211] vexctl/0.3.0-r1: cve remediation (#36838)
vexctl/0.3.0-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/vexctl.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
vexctl.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/vexctl.yaml b/vexctl.yaml
index 02812a907f5..d9d48eb43bc 100644
--- a/vexctl.yaml
+++ b/vexctl.yaml
@@ -1,7 +1,7 @@
package:
name: vexctl
version: 0.3.0
- epoch: 1
+ epoch: 2
description: A tool to create, transform and attest VEX metadata
copyright:
- license: Apache-2.0
@@ -15,7 +15,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
modroot: .
- uses: go/build
From c87b588148ab4489ae161733dab3dc75d80108c0 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:04:47 +0000
Subject: [PATCH 076/211] opentofu-1.8/1.8.7-r0: cve remediation (#36843)
opentofu-1.8/1.8.7-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/opentofu-1.8.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
opentofu-1.8.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/opentofu-1.8.yaml b/opentofu-1.8.yaml
index bd161325cf3..4388f0c457a 100644
--- a/opentofu-1.8.yaml
+++ b/opentofu-1.8.yaml
@@ -1,7 +1,7 @@
package:
name: opentofu-1.8
version: 1.8.7
- epoch: 0
+ epoch: 1
copyright:
- license: MPL-2.0
dependencies:
@@ -19,6 +19,11 @@ pipeline:
repository: https://github.com/opentofu/opentofu
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
ldflags: -s -w -X 'github.com/opentofu/opentofu/version.dev=no'
From 3799f193dfff073dc9cff99736cf4442af0d6f3b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:05:47 +0000
Subject: [PATCH 077/211] kubewatch/2.9.0-r0: cve remediation (#36853)
kubewatch/2.9.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kubewatch.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kubewatch.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kubewatch.yaml b/kubewatch.yaml
index c76086e235c..712656c26bd 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -1,7 +1,7 @@
package:
name: kubewatch
version: 2.9.0
- epoch: 0
+ epoch: 1
description: Watch k8s events and trigger Handlers
copyright:
- license: Apache-2.0
@@ -24,6 +24,10 @@ pipeline:
- runs: |
go mod tidy
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
output: kubewatch
From bd75b0fdcece921c505ad11558d94da44ad64ac7 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:06:02 +0000
Subject: [PATCH 078/211] postgres-operator/1.13.0-r2: cve remediation (#36847)
postgres-operator/1.13.0-r2: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/postgres-operator.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
postgres-operator.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/postgres-operator.yaml b/postgres-operator.yaml
index de95ebfde24..3e149393b0e 100644
--- a/postgres-operator.yaml
+++ b/postgres-operator.yaml
@@ -1,7 +1,7 @@
package:
name: postgres-operator
version: 1.13.0
- epoch: 2
+ epoch: 3
description: Postgres operator creates and manages PostgreSQL clusters running in Kubernetes
copyright:
- license: MIT
@@ -21,6 +21,11 @@ pipeline:
repository: https://github.com/zalando/postgres-operator.git
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
modroot: .
From f787f77948c35b56fbaf44b59897eaa5be2b832c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:06:22 +0000
Subject: [PATCH 079/211] kubernetes-dashboard-api/1.10.1-r0: cve remediation
(#36846)
kubernetes-dashboard-api/1.10.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kubernetes-dashboard-api.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kubernetes-dashboard-api.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kubernetes-dashboard-api.yaml b/kubernetes-dashboard-api.yaml
index f2a19c86864..b61b5bc35e9 100644
--- a/kubernetes-dashboard-api.yaml
+++ b/kubernetes-dashboard-api.yaml
@@ -1,7 +1,7 @@
package:
name: kubernetes-dashboard-api
version: 1.10.1
- epoch: 0
+ epoch: 1
description: Go module handling authentication to the Kubernetes API
copyright:
- license: Apache-2.0
@@ -13,6 +13,11 @@ pipeline:
tag: api/v${{package.version}}
expected-commit: 8c15a76aec0489f63ab841e4aaf09391d2e68912
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: ./modules/api
+
- uses: go/build
with:
packages: .
From 451fb78f8b2f1d03aad0a7c6c01c7e7d117ed79a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:06:39 +0000
Subject: [PATCH 080/211] trivy/0.58.0-r0: cve remediation (#36850)
trivy/0.58.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/trivy.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
trivy.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/trivy.yaml b/trivy.yaml
index 860aff5b6a2..2d6315eb295 100644
--- a/trivy.yaml
+++ b/trivy.yaml
@@ -1,7 +1,7 @@
package:
name: trivy
version: 0.58.0
- epoch: 0
+ epoch: 1
description: Simple and comprehensive vulnerability scanner for containers
copyright:
- license: Apache-2.0
@@ -13,6 +13,10 @@ pipeline:
repository: https://github.com/aquasecurity/trivy
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/trivy
From 8061e88094d10bff6d2de186b07a55dbae77cd4f Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:06:56 +0000
Subject: [PATCH 081/211] openbao-k8s/1.4.0-r0: cve remediation (#36848)
openbao-k8s/1.4.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/openbao-k8s.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
openbao-k8s.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openbao-k8s.yaml b/openbao-k8s.yaml
index be02d8becc4..6425d2b4123 100644
--- a/openbao-k8s.yaml
+++ b/openbao-k8s.yaml
@@ -1,7 +1,7 @@
package:
name: openbao-k8s
version: 1.4.0
- epoch: 0
+ epoch: 1
description: First-class support for OpenBao and Kubernetes.
copyright:
- license: MPL-2.0
@@ -15,7 +15,7 @@ pipeline:
- uses: go/bump
with:
- deps: golang.org/x/net@v0.23.0 google.golang.org/protobuf@v1.33.0
+ deps: golang.org/x/net@v0.23.0 google.golang.org/protobuf@v1.33.0 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 66b5077934912ef2442a75516574512e537f981c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:07:24 +0000
Subject: [PATCH 082/211] litestream/0.3.13-r5: cve remediation (#36849)
litestream/0.3.13-r5: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/litestream.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
litestream.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/litestream.yaml b/litestream.yaml
index daee118bae1..e647b547e78 100644
--- a/litestream.yaml
+++ b/litestream.yaml
@@ -1,7 +1,7 @@
package:
name: litestream
version: 0.3.13
- epoch: 5
+ epoch: 6
description: Streaming replication for SQLite.
copyright:
- license: Apache-2.0
@@ -15,7 +15,7 @@ pipeline:
- uses: go/bump
with:
- deps: golang.org/x/crypto@v0.17.0 golang.org/x/net@v0.23.0 google.golang.org/grpc@v1.57.1 google.golang.org/protobuf@v1.33.0
+ deps: golang.org/x/net@v0.23.0 google.golang.org/grpc@v1.57.1 google.golang.org/protobuf@v1.33.0 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 0556675882a4ba1f54a27f76e077be9e85c48763 Mon Sep 17 00:00:00 2001
From: philroche
Date: Fri, 13 Dec 2024 12:11:31 +0000
Subject: [PATCH 083/211] feat(pgbouncer.yaml): Bump pgbouncer to newest
version 1.23.1
This involves updating the download path to include `-fixed` which I assume is a temporary update by upstream due to a failed release of 1.23.1.
Signed-off-by: philroche
---
pgbouncer.yaml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pgbouncer.yaml b/pgbouncer.yaml
index 5eb6f996b50..460f5ca5cfa 100644
--- a/pgbouncer.yaml
+++ b/pgbouncer.yaml
@@ -1,7 +1,7 @@
package:
name: pgbouncer
- version: 1.22.1
- epoch: 1
+ version: 1.23.1
+ epoch: 0
description: lightweight connection pooler for PostgreSQL
copyright:
- license: ISC
@@ -31,8 +31,8 @@ pipeline:
# and the docs require pandoc which requires haskell
- uses: fetch
with:
- uri: https://github.com/pgbouncer/pgbouncer/releases/download/pgbouncer_${{vars.mangled-package-version}}/pgbouncer-${{package.version}}.tar.gz
- expected-sha256: 2b018aa6ce7f592c9892bb9e0fd90262484eb73937fd2af929770a45373ba215
+ uri: https://github.com/pgbouncer/pgbouncer/releases/download/pgbouncer_${{vars.mangled-package-version}}-fixed/pgbouncer-${{package.version}}.tar.gz
+ expected-sha256: 1963b497231d9a560a62d266e4a2eae6881ab401853d93e5d292c3740eec5084
- uses: autoconf/configure
From 04b65206d0866ca50d3e8017b676c63f78069d4b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:13:23 +0000
Subject: [PATCH 084/211] hugo/0.139.4-r0: cve remediation (#36863)
hugo/0.139.4-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/hugo.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
hugo.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hugo.yaml b/hugo.yaml
index d64afca5dae..2ee7ddacd58 100644
--- a/hugo.yaml
+++ b/hugo.yaml
@@ -1,7 +1,7 @@
package:
name: hugo
version: 0.139.4
- epoch: 0
+ epoch: 1
description: The world's fastest framework for building websites.
copyright:
- license: Apache-2.0
@@ -20,6 +20,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 3afe91d4b1b069abbedd6a96ed755b1e12581dfe
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From 2c010e120e76ca2dd3616655f209febc9f1dceb3 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:13:38 +0000
Subject: [PATCH 085/211] velero/1.15.0-r0: cve remediation (#36862)
velero/1.15.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/velero.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
velero.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/velero.yaml b/velero.yaml
index bf9e73c787f..4293de51e45 100644
--- a/velero.yaml
+++ b/velero.yaml
@@ -1,7 +1,7 @@
package:
name: velero
version: 1.15.0
- epoch: 0
+ epoch: 1
description: Backup and migrate Kubernetes applications and their persistent volumes
copyright:
- license: Apache-2.0
@@ -16,6 +16,10 @@ pipeline:
expected-commit: 1d4f1475975b5107ec35f4d19ff17f7d1fcb3edf
repository: https://github.com/vmware-tanzu/velero
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/velero
From 8d8dddb19399c38e2779665ee73bb489d6c9b29e Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:13:52 +0000
Subject: [PATCH 086/211] atlantis/0.31.0-r0: cve remediation (#36858)
atlantis/0.31.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/atlantis.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
atlantis.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/atlantis.yaml b/atlantis.yaml
index efba5d7267d..0a487692947 100644
--- a/atlantis.yaml
+++ b/atlantis.yaml
@@ -1,7 +1,7 @@
package:
name: atlantis
version: 0.31.0
- epoch: 0
+ epoch: 1
description: Terraform Pull Request Automation
copyright:
- license: Apache-2.0
@@ -26,6 +26,11 @@ pipeline:
tag: v${{package.version}}
expected-commit: 245044c17fe85f7330c0a1cca919e7bf3bd52c4d
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
modroot: .
From 9f730b123ae3ae9d989bf06c57e6c1b0385cff0c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:14:06 +0000
Subject: [PATCH 087/211] rook/1.15.6-r0: cve remediation (#36859)
rook/1.15.6-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/rook.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
rook.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/rook.yaml b/rook.yaml
index 60b319e3d46..41e5695eeab 100644
--- a/rook.yaml
+++ b/rook.yaml
@@ -1,7 +1,7 @@
package:
name: rook
version: 1.15.6
- epoch: 0
+ epoch: 1
description: Storage Orchestration for Kubernetes
copyright:
- license: Apache-2.0
@@ -22,6 +22,10 @@ pipeline:
expected-commit: af0bd9f4e1cd176ace49baec7074cf49e8080db2
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
mkdir -p ${{targets.destdir}}/usr/bin/
go build \
From df057c57f85eefcd237a38f2edf4a3686b96a498 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:14:21 +0000
Subject: [PATCH 088/211] terraform-provider-google/6.13.0-r0: cve remediation
(#36860)
terraform-provider-google/6.13.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/terraform-provider-google.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
terraform-provider-google.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/terraform-provider-google.yaml b/terraform-provider-google.yaml
index 448aac906ba..d3b9ae3c30d 100644
--- a/terraform-provider-google.yaml
+++ b/terraform-provider-google.yaml
@@ -1,7 +1,7 @@
package:
name: terraform-provider-google
version: 6.13.0
- epoch: 0
+ epoch: 1
description: Terraform GCP provider
copyright:
- license: MPL-2.0
@@ -18,6 +18,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 7904c930926c4f1d9a4eea40876294e451379dcf
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From 52af6e28ea6946938768fef2f11eabab3a1ecb0c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 13:14:36 +0000
Subject: [PATCH 089/211] nerdctl/2.0.2-r0: cve remediation (#36854)
nerdctl/2.0.2-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/nerdctl.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
nerdctl.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/nerdctl.yaml b/nerdctl.yaml
index 5b71684c9c0..97688ccf8fa 100644
--- a/nerdctl.yaml
+++ b/nerdctl.yaml
@@ -1,7 +1,7 @@
package:
name: nerdctl
version: 2.0.2
- epoch: 0
+ epoch: 1
description: Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
copyright:
- license: Apache-2.0
@@ -21,6 +21,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 1220ce7ec2701d485a9b1beeea63dae3da134fb5
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make nerdctl
install -Dm755 ./_output/nerdctl ${{targets.destdir}}/usr/bin/nerdctl
From 6ada47c54acf66885468f2b9235b4d4578302a49 Mon Sep 17 00:00:00 2001
From: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Date: Fri, 13 Dec 2024 18:49:32 +0530
Subject: [PATCH 090/211] Refactor docker.yaml (#36152)
Add openssl-config, remove fuse-overlayfs
EDIT: we need fuse-overlayfs as a backup if overlay2 fails.
Added iproute2 as we get an unnecessary error in container logs
otherwise
---------
Signed-off-by: anushkamittal20
Signed-off-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
---
docker.yaml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/docker.yaml b/docker.yaml
index 846f496441b..22e0112cfda 100644
--- a/docker.yaml
+++ b/docker.yaml
@@ -1,7 +1,7 @@
package:
name: docker
version: 27.4.0
- epoch: 0
+ epoch: 1
description: A meta package for Docker Engine and Docker CLI
copyright:
- license: Apache-2.0
@@ -20,10 +20,12 @@ package:
- fuse-overlayfs
- git
- ip6tables
+ - iproute2
# docker dind also needs a couple of runtime dependencies mentioned here (https://github.com/moby/moby/blob/0eecd59153c03ced5f5ddd79cc98f29e4d86daec/project/PACKAGERS.md#runtime-dependencies) below are those dependencies.
- iptables
- openssh-client
- openssl
+ - openssl-config
- pigz
- procps
- shadow-subids # equivalent of shadow-uidmap in wolfi
@@ -66,7 +68,8 @@ pipeline:
# pin to older dependencies when this package auto updates, we use sed with
# the specific replacement version.
- # CVE-2023-47108 GHSA-8pgv-569h-w5rw CVE-2023-45142 GHSA-rcjv-mgp8-qvmr
+ # CVE-2023-47108 GHSA-8pgv-569h-w5rw CVE-2023-45142 GHSA-rcjv-mgp8-qvmr CVE-2024-45337
+ sed -i 's|golang.org/x/crypto v0.27.0|golang.org/x/crypto v0.31.0|' vendor.mod
sed -i 's|go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0|go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0|' vendor.mod
sed -i 's|go.opentelemetry.io/otel v1.19.0|go.opentelemetry.io/otel v1.21.0|' vendor.mod
sed -i 's|go.opentelemetry.io/otel/sdk v1.19.0|go.opentelemetry.io/otel/sdk v1.21.0|' vendor.mod
From 4234be35eab028f9e68ba316e163fe1a547aa1e7 Mon Sep 17 00:00:00 2001
From: debasishbsws
Date: Fri, 13 Dec 2024 13:55:50 +0000
Subject: [PATCH 091/211] Fix(build): Change the version schema to match up
with the upsream
The upstream repo recently have change the tag version and started adding a v prifix
Signed-off-by: debasishbsws
---
newrelic-nri-statsd.yaml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/newrelic-nri-statsd.yaml b/newrelic-nri-statsd.yaml
index 6d30bce9ff6..d8cfc545237 100644
--- a/newrelic-nri-statsd.yaml
+++ b/newrelic-nri-statsd.yaml
@@ -1,6 +1,6 @@
package:
name: newrelic-nri-statsd
- version: v2.10.0
+ version: 2.10.0
epoch: 0
description: An implementation of Etsy's statsd in Go with tags support
copyright:
@@ -21,7 +21,7 @@ pipeline:
with:
expected-commit: 21cb52ec9480869d1ff01675b9ed550cc9212c49
repository: https://github.com/newrelic/nri-statsd
- tag: ${{package.version}}
+ tag: v${{package.version}}
- runs: |
mkdir -p "${{targets.destdir}}"/bin
@@ -37,6 +37,7 @@ update:
enabled: true
github:
identifier: newrelic/nri-statsd
+ strip-prefix: v
test:
pipeline:
From 3659181093357ebb16d9ddae03dc08de621508f0 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:03:36 +0000
Subject: [PATCH 092/211] fluent-plugin-tag-normaliser/0_git20241213 package
update (#36888)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
fluent-plugin-tag-normaliser.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fluent-plugin-tag-normaliser.yaml b/fluent-plugin-tag-normaliser.yaml
index 43c76e95822..b7677b84a52 100644
--- a/fluent-plugin-tag-normaliser.yaml
+++ b/fluent-plugin-tag-normaliser.yaml
@@ -1,7 +1,7 @@
#nolint:valid-pipeline-git-checkout-tag
package:
name: fluent-plugin-tag-normaliser
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Tag-normaliser is a `fluentd` plugin to help re-tag logs with Kubernetes metadata. It uses special placeholders to change tag.
copyright:
From c10188c862bc81cb5995efd014d4d8eee0fe1866 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:03:51 +0000
Subject: [PATCH 093/211] rancher-rke2-charts/0_git20241213 package update
(#36883)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rancher-rke2-charts.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rancher-rke2-charts.yaml b/rancher-rke2-charts.yaml
index ee3debef537..c35916c5359 100644
--- a/rancher-rke2-charts.yaml
+++ b/rancher-rke2-charts.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: rancher-rke2-charts
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Complete container management platform - rke2 charts
copyright:
From be64978e056033a5614aac00e1401bf9b264500d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:04:05 +0000
Subject: [PATCH 094/211] rtmpdump/2.6_git20241213 package update (#36882)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rtmpdump.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rtmpdump.yaml b/rtmpdump.yaml
index 90cb133c30f..b41bea95947 100644
--- a/rtmpdump.yaml
+++ b/rtmpdump.yaml
@@ -1,7 +1,7 @@
#nolint:valid-pipeline-git-checkout-tag
package:
name: rtmpdump
- version: 2.6_git20241212
+ version: 2.6_git20241213
epoch: 0
description: rtmpdump is a toolkit for RTMP streams
copyright:
From 82a5c6d3fae8bb35338564ddf37c99c6190d8a84 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:04:20 +0000
Subject: [PATCH 095/211] fluent-plugin-label-router/0.4.0_git20241213 package
update (#36885)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
fluent-plugin-label-router.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fluent-plugin-label-router.yaml b/fluent-plugin-label-router.yaml
index 93f86ef06f4..ec52c86139b 100644
--- a/fluent-plugin-label-router.yaml
+++ b/fluent-plugin-label-router.yaml
@@ -1,7 +1,7 @@
#nolint:valid-pipeline-git-checkout-tag
package:
name: fluent-plugin-label-router
- version: 0.4.0_git20241212
+ version: 0.4.0_git20241213
epoch: 0
description: Label-Router helps routing log messages based on their labels and namespace tag in a Kubernetes environment.
copyright:
From 98c82a108e73989b81b7e38c631ad6185ceaeac9 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:04:36 +0000
Subject: [PATCH 096/211] ddp-tool/1.0.34.0_git20241213 package update (#36884)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
ddp-tool.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ddp-tool.yaml b/ddp-tool.yaml
index 3ccd9cc7241..e5ca0a886e2 100644
--- a/ddp-tool.yaml
+++ b/ddp-tool.yaml
@@ -1,7 +1,7 @@
#nolint:valid-pipeline-git-checkout-commit,valid-pipeline-git-checkout-tag
package:
name: ddp-tool
- version: 1.0.34.0_git20241212
+ version: 1.0.34.0_git20241213
epoch: 0
description: Intel Dynamic Device Personalization Tool
copyright:
From 99f8a1a729a5c8110a8c669b05a2c6fe2f97016d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:04:51 +0000
Subject: [PATCH 097/211] vim/9.1.0923 package update (#36879)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
vim.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/vim.yaml b/vim.yaml
index f6bfd7fadd2..1b065225ab1 100644
--- a/vim.yaml
+++ b/vim.yaml
@@ -1,6 +1,6 @@
package:
name: vim
- version: 9.1.0918
+ version: 9.1.0923
epoch: 0
description: "Improved vi-style text editor"
copyright:
@@ -23,7 +23,7 @@ pipeline:
with:
repository: https://github.com/vim/vim
tag: v${{package.version}}
- expected-commit: dff3c9c1a789351a741b6a430862c8b2a0eff383
+ expected-commit: e29c8bafa78847414419522baecd008e287389db
- runs: |
# vim seems to manually set FORTIFY_SOURCE=1, and setting both breaks the build
From 8b9fdebb675977cac803f0891ba4e838810d07f1 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:05:08 +0000
Subject: [PATCH 098/211] go-discover/0_git20241213 package update (#36877)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
go-discover.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/go-discover.yaml b/go-discover.yaml
index c133dc8c23e..e2eb336c166 100644
--- a/go-discover.yaml
+++ b/go-discover.yaml
@@ -1,8 +1,8 @@
#nolint:valid-pipeline-git-checkout-tag
package:
name: go-discover
- version: 0_git20241212
- epoch: 1
+ version: 0_git20241213
+ epoch: 0
description: go-discover is a Go (golang) library and command line tool to discover ip addresses of nodes in cloud environments based on meta information like tags provided by the environment.
copyright:
- license: MPL-2.0
From 25ae1221eba629be4d9b1a1b5f597d52c91ae74a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:05:26 +0000
Subject: [PATCH 099/211] rancher-helm3-charts/0_git20241213 package update
(#36878)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rancher-helm3-charts.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rancher-helm3-charts.yaml b/rancher-helm3-charts.yaml
index f99291f5198..9c2546ceb31 100644
--- a/rancher-helm3-charts.yaml
+++ b/rancher-helm3-charts.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: rancher-helm3-charts
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Complete container management platform - helm3 charts
copyright:
From 52c0bb99aa3dbe9dd57992702cdd555576d22683 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:05:41 +0000
Subject: [PATCH 100/211] libeconf/0.7.6 package update (#36881)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
libeconf.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libeconf.yaml b/libeconf.yaml
index 7504693f9b4..04355b71c6f 100644
--- a/libeconf.yaml
+++ b/libeconf.yaml
@@ -1,6 +1,6 @@
package:
name: libeconf
- version: 0.7.5
+ version: 0.7.6
epoch: 0
description: Enhanced Config File Parser
copyright:
@@ -20,7 +20,7 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: 55395fda6890603ca5061cd15a32dfb2d6817928
+ expected-commit: acbf7e06de84ea289fd4d3dd189d7e36c49c09ae
repository: https://github.com/openSUSE/libeconf
tag: v${{package.version}}
From 389253b94d254121365c1942ac1e7492fb2fd545 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:05:58 +0000
Subject: [PATCH 101/211] aws-eks-pod-identity-agent/0_git20241213 package
update (#36887)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
aws-eks-pod-identity-agent.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/aws-eks-pod-identity-agent.yaml b/aws-eks-pod-identity-agent.yaml
index f90d17c3795..6772604ef01 100644
--- a/aws-eks-pod-identity-agent.yaml
+++ b/aws-eks-pod-identity-agent.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: aws-eks-pod-identity-agent
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: EKS Pod Identity is a feature of Amazon EKS that simplifies the process for cluster administrators to configure Kubernetes applications with AWS IAM permissions
copyright:
From 761116a3e973ac64539139439064a19b3b3ef05d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:06:19 +0000
Subject: [PATCH 102/211] rancher-partner-charts/0_git20241213 package update
(#36876)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rancher-partner-charts.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rancher-partner-charts.yaml b/rancher-partner-charts.yaml
index 58b00f41ec8..84a8242a73a 100644
--- a/rancher-partner-charts.yaml
+++ b/rancher-partner-charts.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: rancher-partner-charts
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Complete container management platform - partner charts
copyright:
@@ -19,7 +19,7 @@ pipeline:
repository: https://github.com/rancher/partner-charts
branch: main
destination: ./charts
- expected-commit: 062e6b615817d8c901144458114b2b0d52a72dd0
+ expected-commit: 87a612f5a0e0bb383ae1fb3fc8b302c44c3319cc
- working-directory: ./charts
runs: |
From e32af5b63471ee428400a7dc2dedf394bf82eb80 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:06:34 +0000
Subject: [PATCH 103/211] rancher-charts-2.10/0_git20241213 package update
(#36874)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rancher-charts-2.10.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rancher-charts-2.10.yaml b/rancher-charts-2.10.yaml
index d6aa7f20bf7..d94b539b499 100644
--- a/rancher-charts-2.10.yaml
+++ b/rancher-charts-2.10.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: rancher-charts-2.10
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Complete container management platform - charts
copyright:
From d31b670da5c55afa47a92aa247abf0ee96bbaa7b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:47:39 +0000
Subject: [PATCH 104/211] external-secrets-operator/0.11.0-r0: cve remediation
(#36869)
external-secrets-operator/0.11.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/external-secrets-operator.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
external-secrets-operator.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/external-secrets-operator.yaml b/external-secrets-operator.yaml
index a7ad2eaf165..55aa400612a 100644
--- a/external-secrets-operator.yaml
+++ b/external-secrets-operator.yaml
@@ -1,7 +1,7 @@
package:
name: external-secrets-operator
version: 0.11.0
- epoch: 0
+ epoch: 1
description: Integrate external secret management systems with Kubernetes
copyright:
- license: Apache-2.0
@@ -13,6 +13,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 0656bf33c5bde3b54afe6c5d21e246e58fb19be7
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
go-package: go
From 541c421ea2d95f58c79bf6ccb8d778289fa7e89a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:47:52 +0000
Subject: [PATCH 105/211] secrets-store-csi-driver-provider-azure/1.6.0-r1: cve
remediation (#36866)
secrets-store-csi-driver-provider-azure/1.6.0-r1: fix
GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/secrets-store-csi-driver-provider-azure.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
secrets-store-csi-driver-provider-azure.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/secrets-store-csi-driver-provider-azure.yaml b/secrets-store-csi-driver-provider-azure.yaml
index 819de4cf208..27bb50cd557 100644
--- a/secrets-store-csi-driver-provider-azure.yaml
+++ b/secrets-store-csi-driver-provider-azure.yaml
@@ -1,7 +1,7 @@
package:
name: secrets-store-csi-driver-provider-azure
version: 1.6.0
- epoch: 1
+ epoch: 2
description: Azure Key Vault provider for Secret Store CSI driver
copyright:
- license: MIT
@@ -24,7 +24,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- runs: |
unset LDFLAGS
From 2089b0c17c36292676bac52a9e93a59ddc871ea2 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:48:10 +0000
Subject: [PATCH 106/211] rancher-system-charts-2.10/0_git20241213 package
update (#36873)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
rancher-system-charts-2.10.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rancher-system-charts-2.10.yaml b/rancher-system-charts-2.10.yaml
index 68fcadfbff5..5f1034e00d0 100644
--- a/rancher-system-charts-2.10.yaml
+++ b/rancher-system-charts-2.10.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates,valid-pipeline-git-checkout-tag
package:
name: rancher-system-charts-2.10
- version: 0_git20241212
+ version: 0_git20241213
epoch: 0
description: Complete container management platform - system charts
copyright:
From ddc3273de38bf22d64988f5260a3f876ca4609a7 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:48:29 +0000
Subject: [PATCH 107/211] prometheus-mongodb-exporter/0.43.1 package update
(#36872)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
prometheus-mongodb-exporter.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/prometheus-mongodb-exporter.yaml b/prometheus-mongodb-exporter.yaml
index 0f8bb786b92..49e5627ebdd 100644
--- a/prometheus-mongodb-exporter.yaml
+++ b/prometheus-mongodb-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-mongodb-exporter
- version: 0.43.0
- epoch: 1
+ version: 0.43.1
+ epoch: 0
description: A Prometheus exporter for MongoDB including sharding, replication and storage engines
copyright:
- license: MIT
@@ -17,7 +17,7 @@ pipeline:
- uses: git-checkout
with:
repository: https://github.com/percona/mongodb_exporter
- expected-commit: 1e9026b6a8f2a6c86cfc63f460b16d2194523797
+ expected-commit: 2b2cccca21104c2a00cb53bd0d785b3d656fe803
tag: v${{package.version}}
- uses: go/bump
From fda5bc241033a5964aa71df5af4599744ebc6c65 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:48:44 +0000
Subject: [PATCH 108/211] seaweedfs/3.80-r0: cve remediation (#36868)
seaweedfs/3.80-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/seaweedfs.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
seaweedfs.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/seaweedfs.yaml b/seaweedfs.yaml
index f78f637b3dd..e7fd56b300a 100644
--- a/seaweedfs.yaml
+++ b/seaweedfs.yaml
@@ -1,7 +1,7 @@
package:
name: seaweedfs
version: "3.80"
- epoch: 0
+ epoch: 1
description: SeaweedFS is a fast distributed storage system for blobs, objects, files.
copyright:
- license: Apache-2.0
@@ -18,6 +18,10 @@ pipeline:
tag: ${{package.version}}
expected-commit: 7b3c0e937f83d3b49799b5d5dcb98b0043461c25
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./weed
From 6cadbff228b4036c141b4928835812130c3ad3af Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:49:08 +0000
Subject: [PATCH 109/211] x509-certificate-exporter/3.17.0-r1: cve remediation
(#36871)
x509-certificate-exporter/3.17.0-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/x509-certificate-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
x509-certificate-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/x509-certificate-exporter.yaml b/x509-certificate-exporter.yaml
index acd962a18d9..b5ab69d381c 100644
--- a/x509-certificate-exporter.yaml
+++ b/x509-certificate-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: x509-certificate-exporter
version: 3.17.0
- epoch: 1
+ epoch: 2
description: A Prometheus exporter to monitor x509 certificates expiration in Kubernetes clusters or standalone.
copyright:
- license: MIT
@@ -13,6 +13,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 8f97b98c862f83d0c25c2994942b1ea90c6459da
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./cmd/x509-certificate-exporter
From e80634f29b43c9a6afb5034fdd8729afc0c0cd8e Mon Sep 17 00:00:00 2001
From: James Rawlings
Date: Fri, 13 Dec 2024 14:55:45 +0000
Subject: [PATCH 110/211] revert: icu 76.1 package update as contains ABI
breakage, bumps dependants that have already been built with new ABI (#36864)
see https://github.com/wolfi-dev/os/pull/35274
package update check is expected to fail as we are rolling back an
update.
---------
Signed-off-by: James Rawlings
Signed-off-by: Massimiliano Giovagnoli
Co-authored-by: Massimiliano Giovagnoli
---
icu.yaml | 6 +++---
ruby3.4-charlock_holmes.yaml | 2 +-
tensorflow-core.yaml | 7 +++++--
withdrawn-packages.txt | 4 ++++
4 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/icu.yaml b/icu.yaml
index 8106624bec7..689ede235f6 100644
--- a/icu.yaml
+++ b/icu.yaml
@@ -1,7 +1,7 @@
package:
name: icu
- version: "76.1"
- epoch: 0
+ version: "75.1"
+ epoch: 4
description: "International Components for Unicode library"
copyright:
- license: MIT
@@ -37,7 +37,7 @@ pipeline:
- uses: fetch
with:
uri: https://github.com/unicode-org/icu/releases/download/release-${{vars.dash-package-version}}/icu4c-${{vars.underscore-package-version}}-src.tgz
- expected-sha256: dfacb46bfe4747410472ce3e1144bf28a102feeaa4e3875bac9b4c6cf30f4f3e
+ expected-sha256: cb968df3e4d2e87e8b11c49a5d01c787bd13b9545280fc6642f826527618caef
strip-components: 0
- runs: |
diff --git a/ruby3.4-charlock_holmes.yaml b/ruby3.4-charlock_holmes.yaml
index b8c60ae8abb..41bbdf38bd8 100644
--- a/ruby3.4-charlock_holmes.yaml
+++ b/ruby3.4-charlock_holmes.yaml
@@ -2,7 +2,7 @@
package:
name: ruby3.4-charlock_holmes
version: 0.7.9
- epoch: 0
+ epoch: 1
description: charlock_holmes provides binary and text detection as well as text transcoding using libicu
copyright:
- license: MIT
diff --git a/tensorflow-core.yaml b/tensorflow-core.yaml
index 60691dc3f37..bd73f3fd76b 100644
--- a/tensorflow-core.yaml
+++ b/tensorflow-core.yaml
@@ -2,7 +2,7 @@ package:
name: tensorflow-core
description: Framework for data-graph oriented computing (core libraries, oneDNN build)
version: 2.18.0
- epoch: 2
+ epoch: 3
copyright:
- license: Apache-2.0
resources:
@@ -100,7 +100,10 @@ pipeline:
expected-commit: 6550e4bd80223cdb8be6c3afd1f81e86a4d433c3
tag: v${{package.version}}
- - runs: |
+ - environment:
+ # It otherwise defaults to the latest while the upstream does not provide lockfiles for > 3.12.
+ HERMETIC_PYTHON_VERSION: "3.12"
+ runs: |
./configure
bazel ${{vars.bazel-common-opts}} //tensorflow:libtensorflow.so //tensorflow:libtensorflow_cc.so //tensorflow:install_headers //tensorflow:libtensorflow_framework.so
diff --git a/withdrawn-packages.txt b/withdrawn-packages.txt
index b6fd1ed3564..8e3fcfd0f2d 100644
--- a/withdrawn-packages.txt
+++ b/withdrawn-packages.txt
@@ -12,3 +12,7 @@ repmgr-dev-5.5.0-r3.apk
repmgr-5.5.0-r3.apk
repmgr-bitnami-compat-5.5.0-r3.apk
py3-pywinpty-2.0.13-r3.apk
+icu-76.1-r0.apk
+icu-data-full-76.1-r0.apk
+icu-dev-76.1-r0.apk
+icu-libs-76.1-r0.apk
From 1c5d15ac9a90502a4d8b5ecad56043ac5b50143e Mon Sep 17 00:00:00 2001
From: Carlos Tadeu Panato Junior
Date: Fri, 13 Dec 2024 15:56:50 +0100
Subject: [PATCH 111/211] bump kubernetes-latest to default to k8s 1.32
(#36857)
- bump kubernetes-latest to default to k8s 1.32
slack thread
https://chainguard-dev.slack.com/archives/C02SD39C6BW/p1734091822059719
---
kubernetes-latest.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kubernetes-latest.yaml b/kubernetes-latest.yaml
index df9adfb569c..2a84b0f1e60 100644
--- a/kubernetes-latest.yaml
+++ b/kubernetes-latest.yaml
@@ -1,7 +1,7 @@
package:
name: kubernetes-latest
version: 0
- epoch: 5
+ epoch: 6
description: "Compatibility infrastructure for Kubernetes components"
copyright:
- license: GPL-2.0-or-later
@@ -13,7 +13,7 @@ environment:
vars:
components: "kubectl kubeadm kubelet kube-scheduler kube-proxy kube-controller-manager kube-apiserver"
- kubernetes-version: 1.31
+ kubernetes-version: 1.32
pipeline:
- runs: |
From a728736002867c8b1e49c5a53f6a90fdb0cf8719 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:03:39 +0000
Subject: [PATCH 112/211] prometheus-mongodb-exporter/0.43.1 package update
(#36900)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
From 1ea80d5c256e2f666bc02d0c47f0601eeed3ecd6 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:03:55 +0000
Subject: [PATCH 113/211] velero-plugin-for-microsoft-azure/1.11.0-r0: cve
remediation (#36897)
velero-plugin-for-microsoft-azure/1.11.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/velero-plugin-for-microsoft-azure.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
velero-plugin-for-microsoft-azure.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/velero-plugin-for-microsoft-azure.yaml b/velero-plugin-for-microsoft-azure.yaml
index 88c8002853f..7b18eef5e1c 100644
--- a/velero-plugin-for-microsoft-azure.yaml
+++ b/velero-plugin-for-microsoft-azure.yaml
@@ -1,7 +1,7 @@
package:
name: velero-plugin-for-microsoft-azure
version: 1.11.0
- epoch: 0
+ epoch: 1
description: Plugins to support Velero on microsoft-azure
copyright:
- license: Apache-2.0
@@ -13,6 +13,10 @@ pipeline:
expected-commit: 3b08906e50a1a152e4a86161794774364e005b5b
repository: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: ./velero-plugin-for-microsoft-azure
From 58ac09a7fffe1961758f826763b2c458c45671d6 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:04:09 +0000
Subject: [PATCH 114/211] task/3.40.1-r0: cve remediation (#36896)
task/3.40.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/task.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
task.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/task.yaml b/task.yaml
index fd01bc4e6c2..863a3d0724d 100644
--- a/task.yaml
+++ b/task.yaml
@@ -1,7 +1,7 @@
package:
name: task
version: 3.40.1
- epoch: 0
+ epoch: 1
description: A task runner / simpler Make alternative written in Go
copyright:
- license: MIT
@@ -15,6 +15,11 @@ pipeline:
tag: v${{package.version}}
expected-commit: 32fa3a01561b16aee9c87ecf0b49be5b733bb3d1
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: .
+
- uses: go/build
with:
packages: ./cmd/task
From c64af0663ddc777c5065760ffa8c7243d0ace486 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:04:26 +0000
Subject: [PATCH 115/211] prometheus-bind-exporter/0.8.0-r0: cve remediation
(#36894)
prometheus-bind-exporter/0.8.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/prometheus-bind-exporter.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
prometheus-bind-exporter.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/prometheus-bind-exporter.yaml b/prometheus-bind-exporter.yaml
index 4a678348de7..314ddda0564 100644
--- a/prometheus-bind-exporter.yaml
+++ b/prometheus-bind-exporter.yaml
@@ -1,7 +1,7 @@
package:
name: prometheus-bind-exporter
version: 0.8.0
- epoch: 0
+ epoch: 1
description: Prometheus exporter for BIND
copyright:
- license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 5cc1b62b9c866184193007a0f7ec3b2eb31460bf
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make common-build
mkdir -p ${{targets.destdir}}/usr/bin
From 6ee237ebc836b5c1f93122b1c5da482061b91c54 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:04:40 +0000
Subject: [PATCH 116/211] temporal-server/1.25.2-r0: cve remediation (#36892)
temporal-server/1.25.2-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/temporal-server.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
temporal-server.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/temporal-server.yaml b/temporal-server.yaml
index 17fcf24d262..f99c790d92c 100644
--- a/temporal-server.yaml
+++ b/temporal-server.yaml
@@ -1,7 +1,7 @@
package:
name: temporal-server
version: 1.25.2
- epoch: 0
+ epoch: 1
description: Temporal server executes units of application logic, Workflows, in a resilient manner that automatically handles intermittent failures, and retries failed operations
copyright:
- license: MIT
@@ -30,7 +30,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- runs: |
make bins
From 11230c06872bdfa47d318643504b3f5e98f845c0 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:04:53 +0000
Subject: [PATCH 117/211] cert-manager-1.16/1.16.2-r1: cve remediation (#36890)
cert-manager-1.16/1.16.2-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/cert-manager-1.16.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
cert-manager-1.16.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/cert-manager-1.16.yaml b/cert-manager-1.16.yaml
index 38c755372ad..71b7a7a426c 100644
--- a/cert-manager-1.16.yaml
+++ b/cert-manager-1.16.yaml
@@ -2,7 +2,7 @@ package:
name: cert-manager-1.16
# See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
version: 1.16.2
- epoch: 1
+ epoch: 2
description: Automatically provision and manage TLS certificates in Kubernetes
copyright:
- license: Apache-2.0
@@ -34,6 +34,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: 33df0f22ab5753b942ce2deb36d7e452bc78e49d
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
# the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
# to workaround, set CTR to anything $(command -v)able
- runs: |
From 99c974a8e95a41f5eba17913685f3c24788a5579 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:05:08 +0000
Subject: [PATCH 118/211] pulumi-language-dotnet/3.71.0-r0: cve remediation
(#36895)
pulumi-language-dotnet/3.71.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/pulumi-language-dotnet.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
pulumi-language-dotnet.yaml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/pulumi-language-dotnet.yaml b/pulumi-language-dotnet.yaml
index 8c10291656e..c04246e0896 100644
--- a/pulumi-language-dotnet.yaml
+++ b/pulumi-language-dotnet.yaml
@@ -1,7 +1,7 @@
package:
name: pulumi-language-dotnet
version: 3.71.0
- epoch: 0
+ epoch: 1
description: Pulumi Language SDK for Dotnet
copyright:
- license: Apache-2.0
@@ -21,6 +21,11 @@ pipeline:
repository: https://github.com/pulumi/pulumi-dotnet.git
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+ modroot: pulumi-language-dotnet
+
- uses: go/build
with:
ldflags: -s -w -X github.com/pulumi/pulumi-language-dotnet/pkg/version.Version=v${{package.version}}
From b7c1c1e4c9f18bbedc22949df59ae77c4495243c Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:05:23 +0000
Subject: [PATCH 119/211] kaniko/1.23.2-r5: cve remediation (#36889)
kaniko/1.23.2-r5: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/kaniko.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
kaniko.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kaniko.yaml b/kaniko.yaml
index c345d998448..edc4dc81746 100644
--- a/kaniko.yaml
+++ b/kaniko.yaml
@@ -1,7 +1,7 @@
package:
name: kaniko
version: 1.23.2
- epoch: 5
+ epoch: 6
description: Build Container Images In Kubernetes
copyright:
- license: Apache-2.0
@@ -22,7 +22,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/opencontainers/runc@v1.1.12 google.golang.org/grpc@v1.64.1 github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: github.com/opencontainers/runc@v1.1.12 google.golang.org/grpc@v1.64.1 github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
tidy: false
- uses: go/build
From 207870a6a8887dfff1df9b4379a384482a14ff1b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:05:40 +0000
Subject: [PATCH 120/211] sftpgo-plugin-eventsearch/1.0.19-r0: cve remediation
(#36893)
sftpgo-plugin-eventsearch/1.0.19-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/sftpgo-plugin-eventsearch.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
sftpgo-plugin-eventsearch.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sftpgo-plugin-eventsearch.yaml b/sftpgo-plugin-eventsearch.yaml
index 37b2cc6235e..4b330f4f903 100644
--- a/sftpgo-plugin-eventsearch.yaml
+++ b/sftpgo-plugin-eventsearch.yaml
@@ -1,7 +1,7 @@
package:
name: sftpgo-plugin-eventsearch
version: 1.0.19
- epoch: 0
+ epoch: 1
description: "Search SFTPGo events stored in supported database engines"
copyright:
- license: AGPL-3.0-only
@@ -13,6 +13,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: f57e8340076a544615d6e42a3bfd1d44b9012316
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: .
From df19d3aa68912d048106fbfd8867b3545bee04fc Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:05:56 +0000
Subject: [PATCH 121/211] crossplane-provider-sql/0.10.0 package update
(#36899)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
crossplane-provider-sql.yaml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/crossplane-provider-sql.yaml b/crossplane-provider-sql.yaml
index 2fb43d5daa6..1aacf2145c9 100644
--- a/crossplane-provider-sql.yaml
+++ b/crossplane-provider-sql.yaml
@@ -1,7 +1,7 @@
package:
name: crossplane-provider-sql
- version: 0.9.0
- epoch: 2
+ version: 0.10.0
+ epoch: 0
description: Official SQL Provider for Crossplane by Upbound
copyright:
- license: Apache-2.0
@@ -20,14 +20,14 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: afdf5802c7445e6ed42db11b35e1a45d8f2771dd
+ expected-commit: cee2aea51f9340bbecfdac025ed959e09e3f6d7d
repository: https://github.com/crossplane-contrib/provider-sql
tag: v${{package.version}}
- uses: go/bump
with:
- deps: google.golang.org/protobuf@v1.33.0 golang.org/x/text@v0.14.0 golang.org/x/crypto@v0.31.0
- replaces: golang.org/x/net=golang.org/x/net@v0.23.0 github.com/crossplane/crossplane-runtime=github.com/crossplane/crossplane-runtime@v0.19.2
+ deps: google.golang.org/protobuf@v1.33.0 golang.org/x/crypto@v0.31.0
+ replaces: golang.org/x/net=golang.org/x/net@v0.23.0
modroot: .
- uses: go/build
From 0a6a195ef8921a08a5752d0d74f2897999238e41 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 10:19:49 -0500
Subject: [PATCH 122/211] confluent-docker-utils/0.0.129 package update
(#36827)
Theres some work going on to make python v3.13 the default in wolfi,
which is separate to this PR. It looks like this package has issues with
python v3.13, so pinning to v3.12.
----------
---------
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Signed-off-by: Mark McCormick
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: Mark McCormick
---
confluent-docker-utils.yaml | 39 ++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/confluent-docker-utils.yaml b/confluent-docker-utils.yaml
index 58359c3bcb3..e0ebfda5421 100644
--- a/confluent-docker-utils.yaml
+++ b/confluent-docker-utils.yaml
@@ -1,7 +1,7 @@
#nolint:git-checkout-must-use-github-updates
package:
name: confluent-docker-utils
- version: 0.0.127
+ version: 0.0.129
epoch: 0
description: This package provides Docker Utility Belt (dub) and Confluent Platform Utility Belt (cub).
copyright:
@@ -10,8 +10,14 @@ package:
no-depends: true
dependencies:
runtime:
- - py3-setuptools # To fix `No module named 'distutils'`
- - python3
+ - py${{vars.py-version}}-setuptools # To fix `No module named 'distutils'`
+
+vars:
+ # This will compile with py3.13, however tests will fail with errors:
+ # 'ModuleNotFoundError: No module named 'pipes'
+ # - https://github.com/jupyter/nbclassic/issues/308
+ # Upstream may have to make some code changes to be compatible with py3.13.
+ py-version: 3.12
environment:
contents:
@@ -19,18 +25,13 @@ environment:
- busybox
- ca-certificates-bundle
- cython
- - py3-gpep517
- - py3-installer
- - py3-pip
- - py3-setuptools
- - py3-wheel
- - python-3
- - python-3-dev
+ - py${{vars.py-version}}-build-base-dev
+ - py${{vars.py-version}}-gpep517
pipeline:
- uses: git-checkout
with:
- expected-commit: 964dc5fa47e7b361f3fff5854e3fd6e77e95a8d0
+ expected-commit: 03c11854dddd276004e69c533496cd5803e9abdc
repository: https://github.com/confluentinc/confluent-docker-utils
tag: v${{package.version}}
@@ -40,25 +41,28 @@ pipeline:
echo 'PyYAML==6.0.1' >> requirements.txt
- runs: |
- python3 -m gpep517 build-wheel \
+ python3=python${{vars.py-version}}
+ $python3 -m gpep517 build-wheel \
--wheel-dir dist \
--output-fd 3 3>&1 >&2
- python3 -m installer \
+ $python3 -m installer \
-d "${{targets.destdir}}" \
dist/*.whl
install -Dm644 LICENSE \
"${{targets.destdir}}"/usr/share/licenses/${{package.name}}/LICENSE
- runs: |
+ python3=python${{vars.py-version}}
# `--use-deprecated=legacy-resolver` is used force ignore the dependency check.
# `docker-compose` was requiring `PyYAML<6` and also `PyYAML==5.4.1` was causing
# `AttributeError: cython_sources` issue.
- pip install --root=${{targets.destdir}} --prefix=/usr --prefer-binary --use-deprecated=legacy-resolver -r requirements.txt
- pip install --root=${{targets.destdir}} --prefix=/usr setuptools
+ $python3 -m pip install --root=${{targets.destdir}} --prefix=/usr --prefer-binary --use-deprecated=legacy-resolver -r requirements.txt
+ $python3 -m pip install --root=${{targets.destdir}} --prefix=/usr setuptools
find ${{targets.destdir}} -name "*.pyc" -exec rm -rf '{}' +
- runs: |
- _py3ver=$(python3 -c 'import sys; print("{}.{}".format(sys.version_info.major, sys.version_info.minor))')
+ python3=python${{vars.py-version}}
+ _py3ver=$($python3 -c 'import sys; print("{}.{}".format(sys.version_info.major, sys.version_info.minor))')
mkdir -p ${{targets.destdir}}/usr/lib/python"$_py3ver"/site-packages/confluent/docker_utils
cp -r confluent/docker_utils/* ${{targets.destdir}}/usr/lib/python"$_py3ver"/site-packages/confluent/docker_utils/
@@ -87,3 +91,6 @@ test:
jsonschema --help
normalizer --version
normalizer --help
+ - uses: python/import
+ with:
+ import: confluent.docker_utils
From 420ef6a529d53d3fb1f34941cf6da8e610b51e07 Mon Sep 17 00:00:00 2001
From: debasishbsws
Date: Fri, 13 Dec 2024 15:42:04 +0000
Subject: [PATCH 123/211] Improvemet: Replace the dinamic go mod -edit command
with the use of go/bump replaces
The previous pipeline could result in downgrade to the upstream go version
Signed-off-by: debasishbsws
---
nodetaint.yaml | 29 +----------------------------
1 file changed, 1 insertion(+), 28 deletions(-)
diff --git a/nodetaint.yaml b/nodetaint.yaml
index 5a6caf7d173..83c63c27ffc 100644
--- a/nodetaint.yaml
+++ b/nodetaint.yaml
@@ -24,36 +24,9 @@ pipeline:
- uses: go/bump
with:
deps: k8s.io/api@v0.28.15 k8s.io/client-go@v0.28.15 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 k8s.io/apimachinery@v0.28.15 k8s.io/kubernetes@v1.28.15
+ replaces: k8s.io/api=k8s.io/api@v0.28.15 k8s.io/apiextensions-apiserver=k8s.io/apiextensions-apiserver@v0.28.15 k8s.io/apimachinery=k8s.io/apimachinery@v0.28.15 k8s.io/apiserver=k8s.io/apiserver@v0.28.15 k8s.io/cli-runtime=k8s.io/cli-runtime@v0.28.15 k8s.io/client-go=k8s.io/client-go@v0.28.15 k8s.io/cloud-provider=k8s.io/cloud-provider@v0.28.15 k8s.io/cluster-bootstrap=k8s.io/cluster-bootstrap@v0.28.15 k8s.io/code-generator=k8s.io/code-generator@v0.28.15 k8s.io/component-base=k8s.io/component-base@v0.28.15 k8s.io/cri-api=k8s.io/cri-api@v0.28.15 k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.28.15 k8s.io/kube-aggregator=k8s.io/kube-aggregator@v0.28.15 k8s.io/kube-controller-manager=k8s.io/kube-controller-manager@v0.28.15 k8s.io/kube-proxy=k8s.io/kube-proxy@v0.28.15 k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.28.15 k8s.io/kubectl=k8s.io/kubectl@v0.28.15 k8s.io/kubelet=k8s.io/kubelet@v0.28.15 k8s.io/legacy-cloud-providers=k8s.io/legacy-cloud-providers@v0.28.15 k8s.io/metrics=k8s.io/metrics@v0.28.15 k8s.io/sample-apiserver=k8s.io/sample-apiserver@v0.28.15 k8s.io/sample-cli-plugin=k8s.io/sample-cli-plugin@v0.28.15 k8s.io/sample-controller=k8s.io/sample-controller@v0.28.15
- runs: |
- # Mitigate CVE-2023-39325, CVE-2023-3978, CVE-2023-44487, GHSA-27wf-5967-98gx
-
- # CVE-2021-25736, CVE-2023-3676, CVE-2023-3955, GHSA-8cfg-vx93-jvxw
- go mod edit -replace=k8s.io/api=k8s.io/api@v0.28.15
- go mod edit -replace=k8s.io/apiextensions-apiserver=k8s.io/apiextensions-apiserver@v0.28.15
- go mod edit -replace=k8s.io/apimachinery=k8s.io/apimachinery@v0.28.15
- go mod edit -replace=k8s.io/apiserver=k8s.io/apiserver@v0.28.15
- go mod edit -replace=k8s.io/cli-runtime=k8s.io/cli-runtime@v0.28.15
- go mod edit -replace=k8s.io/client-go=k8s.io/client-go@v0.28.15
- go mod edit -replace=k8s.io/cloud-provider=k8s.io/cloud-provider@v0.28.15
- go mod edit -replace=k8s.io/cluster-bootstrap=k8s.io/cluster-bootstrap@v0.28.15
- go mod edit -replace=k8s.io/code-generator=k8s.io/code-generator@v0.28.15
- go mod edit -replace=k8s.io/component-base=k8s.io/component-base@v0.28.15
- go mod edit -replace=k8s.io/cri-api=k8s.io/cri-api@v0.28.15
- go mod edit -replace=k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.28.15
- go mod edit -replace=k8s.io/kube-aggregator=k8s.io/kube-aggregator@v0.28.15
- go mod edit -replace=k8s.io/kube-controller-manager=k8s.io/kube-controller-manager@v0.28.15
- go mod edit -replace=k8s.io/kube-proxy=k8s.io/kube-proxy@v0.28.15
- go mod edit -replace=k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.28.15
- go mod edit -replace=k8s.io/kubectl=k8s.io/kubectl@v0.28.15
- go mod edit -replace=k8s.io/kubelet=k8s.io/kubelet@v0.28.15
- go mod edit -replace=k8s.io/legacy-cloud-providers=k8s.io/legacy-cloud-providers@v0.28.15
- go mod edit -replace=k8s.io/metrics=k8s.io/metrics@v0.28.15
- go mod edit -replace=k8s.io/sample-apiserver=k8s.io/sample-apiserver@v0.28.15
- go mod edit -replace=k8s.io/sample-cli-plugin=k8s.io/sample-cli-plugin@v0.28.15
- go mod edit -replace=k8s.io/sample-controller=k8s.io/sample-controller@v0.28.15
- go mod tidy -compat=1.17
-
CGO_ENABLED=0 GOARCH=$(go env GOARCH) GOOS=$(go env GOOS) go build -o . -a -installsuffix cgo .
mkdir -p ${{targets.destdir}}/usr/bin
install -Dm755 nodetaint ${{targets.destdir}}/usr/bin/nodetaint
From b931765b4f7e083c9749233339cfa5d3e330228b Mon Sep 17 00:00:00 2001
From: debasishbsws
Date: Fri, 13 Dec 2024 15:56:46 +0000
Subject: [PATCH 124/211] add basic melange test
Signed-off-by: debasishbsws
---
nodetaint.yaml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nodetaint.yaml b/nodetaint.yaml
index 83c63c27ffc..f674b3c8530 100644
--- a/nodetaint.yaml
+++ b/nodetaint.yaml
@@ -33,6 +33,12 @@ pipeline:
- uses: strip
+test:
+ pipeline:
+ - name: Verify nodetaint binary
+ runs: |
+ nodetaint --help
+
update:
enabled: true
github:
From d10bf445554727985aec86fbf988c5b260b7f12f Mon Sep 17 00:00:00 2001
From: debasishbsws
Date: Fri, 13 Dec 2024 15:57:30 +0000
Subject: [PATCH 125/211] Bump epoch
Signed-off-by: debasishbsws
---
nodetaint.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nodetaint.yaml b/nodetaint.yaml
index f674b3c8530..ccdff18a5e8 100644
--- a/nodetaint.yaml
+++ b/nodetaint.yaml
@@ -1,7 +1,7 @@
package:
name: nodetaint
version: 0.0.4
- epoch: 23
+ epoch: 24
description: Controller to manage taints for nodes in a k8s cluster.
copyright:
- license: Apache-2.0
From aca16927f478faeb29eeb3bbe209126e86b5b7d2 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:04:17 +0000
Subject: [PATCH 126/211] icu/76.1 package update (#36911)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
icu.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/icu.yaml b/icu.yaml
index 689ede235f6..8106624bec7 100644
--- a/icu.yaml
+++ b/icu.yaml
@@ -1,7 +1,7 @@
package:
name: icu
- version: "75.1"
- epoch: 4
+ version: "76.1"
+ epoch: 0
description: "International Components for Unicode library"
copyright:
- license: MIT
@@ -37,7 +37,7 @@ pipeline:
- uses: fetch
with:
uri: https://github.com/unicode-org/icu/releases/download/release-${{vars.dash-package-version}}/icu4c-${{vars.underscore-package-version}}-src.tgz
- expected-sha256: cb968df3e4d2e87e8b11c49a5d01c787bd13b9545280fc6642f826527618caef
+ expected-sha256: dfacb46bfe4747410472ce3e1144bf28a102feeaa4e3875bac9b4c6cf30f4f3e
strip-components: 0
- runs: |
From 1e0a1831aa525868ecf141c45fefe0d3c7181bba Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:04:32 +0000
Subject: [PATCH 127/211] vault-benchmark/0.3.0-r0: cve remediation (#36910)
vault-benchmark/0.3.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/vault-benchmark.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
vault-benchmark.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/vault-benchmark.yaml b/vault-benchmark.yaml
index 88950ec1e22..a9560eb826c 100644
--- a/vault-benchmark.yaml
+++ b/vault-benchmark.yaml
@@ -1,7 +1,7 @@
package:
name: vault-benchmark
version: 0.3.0
- epoch: 0
+ epoch: 1
description: A tool for benchmarking usage of Vault
copyright:
- license: MPL-2.0
@@ -15,7 +15,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/hashicorp/go-retryablehttp@v0.7.7
+ deps: github.com/hashicorp/go-retryablehttp@v0.7.7 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From a74d34ebb884d6a1874d24590292e5f4d891ca37 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:04:49 +0000
Subject: [PATCH 128/211] rancher-fleet/0.11.2-r0: cve remediation (#36903)
rancher-fleet/0.11.2-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/rancher-fleet.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
rancher-fleet.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/rancher-fleet.yaml b/rancher-fleet.yaml
index d71e6b98bbf..50343074bbd 100644
--- a/rancher-fleet.yaml
+++ b/rancher-fleet.yaml
@@ -1,7 +1,7 @@
package:
name: rancher-fleet
version: 0.11.2
- epoch: 0
+ epoch: 1
description: Deploy workloads from Git to large fleets of Kubernetes clusters
copyright:
- license: Apache-2.0
@@ -22,6 +22,10 @@ pipeline:
repository: https://github.com/rancher/fleet
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
subpackages:
- name: ${{package.name}}-agent
pipeline:
From 2d358a9312ef1ebda3136e10e3c56fdf2c343b89 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:05:08 +0000
Subject: [PATCH 129/211] tflint/0.54.0-r0: cve remediation (#36901)
tflint/0.54.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tflint.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tflint.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tflint.yaml b/tflint.yaml
index 0aa13b53fc5..aabcda0bd7c 100644
--- a/tflint.yaml
+++ b/tflint.yaml
@@ -1,7 +1,7 @@
package:
name: tflint
version: 0.54.0
- epoch: 0
+ epoch: 1
description: A Pluggable Terraform Linter
copyright:
- license: MPL-2.0
@@ -23,6 +23,10 @@ pipeline:
repository: https://github.com/terraform-linters/tflint
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make build
mkdir -p ${{targets.destdir}}/usr/bin
From 91df9199ab29864ea18410449d7b9bc2ba287106 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:05:33 +0000
Subject: [PATCH 130/211] tempo/2.6.1-r1: cve remediation (#36905)
tempo/2.6.1-r1: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/tempo.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
tempo.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tempo.yaml b/tempo.yaml
index de32b72179f..f07ec1d0f2b 100644
--- a/tempo.yaml
+++ b/tempo.yaml
@@ -1,7 +1,7 @@
package:
name: tempo
version: 2.6.1
- epoch: 1
+ epoch: 2
description: Grafana Tempo is a high volume, minimal dependency distributed tracing backend.
copyright:
- license: AGPL-3.0-or-later
@@ -21,6 +21,10 @@ pipeline:
repository: https://github.com/grafana/tempo
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
go mod vendor
make ${{package.name}}
From d1745513644c9c027e5de73737a0d28b16a2dd3b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:05:58 +0000
Subject: [PATCH 131/211] terraform/1.5.7-r17: cve remediation (#36908)
terraform/1.5.7-r17: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/terraform.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
terraform.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/terraform.yaml b/terraform.yaml
index f21755809d8..c4194c4dcc5 100644
--- a/terraform.yaml
+++ b/terraform.yaml
@@ -1,7 +1,7 @@
package:
name: terraform
version: 1.5.7
- epoch: 17
+ epoch: 18
copyright:
- license: MPL-2.0
@@ -14,7 +14,7 @@ pipeline:
- uses: go/bump
with:
- deps: google.golang.org/grpc@v1.56.3 golang.org/x/crypto@v0.17.0 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/hashicorp/go-getter@v1.7.5 github.com/golang-jwt/jwt/v4@v4.5.1
+ deps: google.golang.org/grpc@v1.56.3 google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/hashicorp/go-getter@v1.7.5 github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From dd907d48db9f6af4f4370e456cf58db52aca44e5 Mon Sep 17 00:00:00 2001
From: debasishbsws
Date: Fri, 13 Dec 2024 16:17:10 +0000
Subject: [PATCH 132/211] Fix test, greping it as it results in a non zero exit
code
Signed-off-by: debasishbsws
---
nodetaint.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nodetaint.yaml b/nodetaint.yaml
index ccdff18a5e8..d8e2aa4e67c 100644
--- a/nodetaint.yaml
+++ b/nodetaint.yaml
@@ -37,7 +37,7 @@ test:
pipeline:
- name: Verify nodetaint binary
runs: |
- nodetaint --help
+ nodetaint --help | grep -q "Usage:"
update:
enabled: true
From 5c08e52b004aa4e7bd923a4f1d96cddae410ae61 Mon Sep 17 00:00:00 2001
From: maxgio92
Date: Fri, 13 Dec 2024 17:21:07 +0100
Subject: [PATCH 133/211] terser: new package (#36902)
#### For new package PRs only
- [x] REQUIRED - The package is available under an OSI-approved or
FSF-approved license
- [x] REQUIRED - The version of the package is still receiving security
updates
Signed-off-by: Massimiliano Giovagnoli
---
terser.yaml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 terser.yaml
diff --git a/terser.yaml b/terser.yaml
new file mode 100644
index 00000000000..1b354367649
--- /dev/null
+++ b/terser.yaml
@@ -0,0 +1,52 @@
+package:
+ name: terser
+ version: 5.37.0
+ epoch: 0
+ description: A JavaScript mangler/compressor toolkit for ES6+.
+ copyright:
+ - license: MIT
+
+environment:
+ contents:
+ packages:
+ - npm
+
+vars:
+ prefix: /usr/local
+
+pipeline:
+ - name: npm install
+ uses: npm/install
+ with:
+ package: terser
+ prefix: ${{targets.contextdir}}/${{vars.prefix}}
+ version: ${{package.version}}
+
+ - uses: strip
+
+test:
+ environment:
+ contents:
+ packages:
+ - bash
+ - nodejs
+ - npm
+ pipeline:
+ - name: Verify Terser version
+ runs: |
+ terser --version | grep "${{package.version}}" || (echo "Version mismatch!" && exit 1)
+ - name: Compress JS file using terser
+ runs: |
+ echo "function add(a, b) { return a + b; }" > test.js
+ terser test.js --compress ecma=2015,computed_props=false -o test.min.js
+ - name: Check the minified JS script size
+ runs: |
+ { test -s test.min.js && \
+ test $(stat -c%s test.min.js) -lt $(stat -c%s test.js); } || \
+ exit 1
+
+update:
+ enabled: true
+ github:
+ identifier: terser/terser
+ use-tag: true
From feaad4b0894433cfcf68b99584e399eb5909509f Mon Sep 17 00:00:00 2001
From: James Rawlings
Date: Fri, 13 Dec 2024 16:23:01 +0000
Subject: [PATCH 134/211] withdraw icu 76.1 packages (again) (#36915)
`manual:true` will create an issue to crack the update manually and
prevent automated PRs
package update check failure is expected as this is rolling back a
version
The withdraw.txt doesn't need to be updated as they are already listed
in there, but we will need to run the withdraw action again once this
merges.
Signed-off-by: James Rawlings
---
icu.yaml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/icu.yaml b/icu.yaml
index 8106624bec7..4e01b59bda5 100644
--- a/icu.yaml
+++ b/icu.yaml
@@ -1,7 +1,7 @@
package:
name: icu
- version: "76.1"
- epoch: 0
+ version: "75.1"
+ epoch: 5
description: "International Components for Unicode library"
copyright:
- license: MIT
@@ -37,7 +37,7 @@ pipeline:
- uses: fetch
with:
uri: https://github.com/unicode-org/icu/releases/download/release-${{vars.dash-package-version}}/icu4c-${{vars.underscore-package-version}}-src.tgz
- expected-sha256: dfacb46bfe4747410472ce3e1144bf28a102feeaa4e3875bac9b4c6cf30f4f3e
+ expected-sha256: cb968df3e4d2e87e8b11c49a5d01c787bd13b9545280fc6642f826527618caef
strip-components: 0
- runs: |
@@ -104,6 +104,7 @@ subpackages:
# strip-prefix: release-
update:
enabled: true
+ manual: true # ICU updates contain ABI breaking changes which require manual intervention
version-transform:
- match: \-
replace: .
From 79b696d4ea78665424023ad97a268138e895ce3d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:31:26 -0500
Subject: [PATCH 135/211] kserve/0.14.0 package update (#31371)
Changes Made:
1 Use Wolfi Poetry:
- Switched to using the Wolfi-provided poetry package instead of
downloading it with pip.
2 Refactor Pipeline:
- Refactored the pipeline to make it simpler and more readable.
- Removed unnecessary steps and comments.
4 Test Environment Adjustments:
- Removed tests for binaries that have been removed upstream.
5 Added comments to explain the reason for the pinned Python version.
---------
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Signed-off-by: debasishbsws
Signed-off-by: Debasish Biswas
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: Ritwik Srinivas
Co-authored-by: debasishbsws
Co-authored-by: Dan Luhring
---
kserve.yaml | 122 ++++++++++++++--------------------------------------
1 file changed, 33 insertions(+), 89 deletions(-)
diff --git a/kserve.yaml b/kserve.yaml
index 4451d1d352c..360c7ef49ef 100644
--- a/kserve.yaml
+++ b/kserve.yaml
@@ -1,7 +1,7 @@
package:
name: kserve
- version: 0.13.1
- epoch: 5
+ version: 0.14.0
+ epoch: 0
description: "Standardized Serverless ML Inference Platform on Kubernetes"
copyright:
- license: Apache-2.0
@@ -11,14 +11,20 @@ environment:
packages:
- go
- py3.11-pip
- - python-3.11-dev
+ - py3.11-poetry
+ - py3.11-poetry-bin
+ - python-3.11-dev # Upstream https://github.com/kserve/kserve/blob/master/python/storage-initializer.Dockerfile uses python-3.11
pipeline:
- uses: git-checkout
with:
repository: https://github.com/kserve/kserve
tag: v${{package.version}}
- expected-commit: e7d9ac8c48900bfd6db4821305b762bc51d8a67b
+ expected-commit: 7e4364246449715b902dc967167e38b38773c9cd
+
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
data:
- name: go-components
@@ -62,114 +68,52 @@ subpackages:
options:
no-commands: true
pipeline:
- - working-directory: ./python
+ - name: poetry-build-storage-controller
+ working-directory: ./python/kserve
runs: |
- python=$(which python3.11)
-
- (
- set -x
- cd kserve
-
- # get poetry - until poetry is multi-versioned, just install from pip
- workd=$(mktemp -d)
- $python -m venv "$workd"
- $workd/bin/pip install poetry
-
- # PATCH_RAY: patch ray to address its embedded thirdparty_files
- # aiohttp CVE-2024-30251, CVE-2024-27306, CVE-2024-42367
- # idna CVE-2024-3651
- #
- # error if new version does not have 2.10.0, so we do not pin
- # current version is 2.35
- $workd/bin/poetry show ray >/tmp/out
- ver=$(awk '$1 == "version" { print $3 }' /tmp/out)
- case "$ver" in
- 2.10.*) :;;
- *) echo "FAIL: Found ray at version '$ver', expected 2.10.*,"
- echo "FAIL: update or drop PATCH_RAY section"
- exit 1;;
- esac
- $workd/bin/poetry add ray~2.35 --extras=serve --lock
-
- $workd/bin/poetry build
-
- wheel=$(echo dist/*.whl)
- [ -f "$wheel" ] || { echo "not exactly one wheel: $wheel"; exit 1; }
-
- # just let pip handle deps for now.
- $python -m pip install --verbose --prefix=/usr "--root=${{targets.contextdir}}" \
- "$wheel[storage]"
-
- rm -Rf "$workd"
- )
-
- # CVE-2024-6345 - see duplicate code in py3-virtualenv.yaml
- ( cd "${{targets.contextdir}}" &&
- cd usr/lib/python*/site-packages/virtualenv/seed/wheels/embed &&
- rm -v \
- setuptools-68.0.0-py3-none-any.whl \
- pip-24.0-py3-none-any.whl \
- wheel-0.42.0-py3-none-any.whl
- )
+ # Install dependencies and build the package using poetry
+ poetry install --no-interaction --no-root --extras "storage ray"
+ poetry build
+
+ # Install the wheel file with the root directory set to ${{targets.contextdir}}
+ python3 -m pip install --verbose --prefix=/usr --root=${{targets.contextdir}} dist/*.whl
+ - name: install storage-initializer entrypoint
+ working-directory: ./python/storage-initializer
+ runs: |
+ mkdir -p ${{targets.contextdir}}/storage-initializer/scripts/
- (
- d=${{targets.contextdir}}/storage-initializer/scripts/
- mkdir -p "$d"
- cp storage-initializer/scripts/initializer-entrypoint "$d"
- cd "$d"
- chmod 755 initializer-entrypoint
+ cp ./scripts/initializer-entrypoint ${{targets.contextdir}}/storage-initializer/scripts/
+ chmod 755 ${{targets.contextdir}}/storage-initializer/scripts/initializer-entrypoint
- # update shbang to point to the python used rather than '/usr/bin/env python'
- sed -i.dist "1s,#!/usr/bin/env python[^ ]*,#!$python," initializer-entrypoint
- # exit fail if it did not change anything
- diff -u initializer-entrypoint.dist initializer-entrypoint && exit 1
- rm initializer-entrypoint.dist
- )
+ cd ${{targets.contextdir}}/storage-initializer/scripts/
+ # update shbang to point to the python used rather than '/usr/bin/env python'
+ sed -i.dist "1s,#!/usr/bin/env python[^ ]*,#!$(which python3.11)," initializer-entrypoint
+ # exit fail if it did not change anything
+ diff -u initializer-entrypoint.dist initializer-entrypoint && exit 1
+ rm initializer-entrypoint.dist
- uses: strip
test:
environment:
contents:
packages:
- busybox
+ - py3.11-poetry
+ - python-3.11
pipeline:
- name: "test entrypoint usage"
runs: |
/storage-initializer/scripts/initializer-entrypoint --help
- dotenv --version
dotenv --help
- f2py --version
- f2py --help
- httpx --help
- jp.py --help
- jsonschema --version
- jsonschema --help
- markdown-it --version
- markdown-it --help
- memray --version
- memray --help
- memray3.11 --version
- memray3.11 --help
- normalizer --version
- normalizer --help
- py-spy --version
- py-spy --help
- pygmentize -v
- pygmentize --help
+ f2py --help
pyrsa-decrypt --help
pyrsa-encrypt --help
pyrsa-keygen --help
pyrsa-priv2pub --help
pyrsa-sign --help
pyrsa-verify --help
- ray --version
- ray --help
- serve --help
tabulate --help
uvicorn --version
uvicorn --help
- virtualenv --version
- virtualenv --help
- watchfiles --version
watchfiles --help
wsdump --help
From c0d9f1672530d8720b341f0dc582ea52263654b7 Mon Sep 17 00:00:00 2001
From: Luca Di Maio
Date: Fri, 13 Dec 2024 17:49:42 +0100
Subject: [PATCH 136/211] fix(microvm-init): fix modprobe when missing modalias
Signed-off-by: Luca Di Maio
---
melange.yaml | 2 +-
melange/init | 22 ++++++++++++++++++----
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/melange.yaml b/melange.yaml
index d2722876d6b..bb940bb6ffd 100644
--- a/melange.yaml
+++ b/melange.yaml
@@ -1,7 +1,7 @@
package:
name: melange
version: 0.17.7
- epoch: 0
+ epoch: 1
description: build APKs from source code
copyright:
- license: Apache-2.0
diff --git a/melange/init b/melange/init
index 19e2b44f756..352c9f281ac 100755
--- a/melange/init
+++ b/melange/init
@@ -34,11 +34,25 @@ fi
# If this fails and we won't have network, the ifconfig command will fail anyway.
# Also we load cpu accelleration drivers in case those are needed.
depmod -a || :
-sort -u \
- /sys/devices/system/cpu/modalias \
- /sys/devices/pci*/*/virtio*/modalias | xargs -n1 modprobe 2>/dev/null || :
+sort -u /sys/devices/system/cpu/modalias | xargs -n1 modprobe 2>/dev/null || :
+sort -u /sys/devices/pci*/*/virtio*/modalias | xargs -n1 modprobe 2>/dev/null || :
# modprobe 9p if absent
-grep -q 9p /proc/filesystems || modprobe 9p
+if ! grep -q 9p /proc/filesystems; then
+ modprobe virtio
+ modprobe virtio_blk
+ modprobe virtio_gpu
+ modprobe virtio_net
+ modprobe virtio_pci
+ modprobe virtio_pci_legacy_dev
+ modprobe virtio_pci_modern_dev
+ modprobe virtio_pmem
+ modprobe virtio_ring
+ modprobe virtio_rng
+ modprobe virtio_scsi
+ modprobe 9pnet_virtio
+ modprobe 9pnet
+ modprobe 9p
+fi
# Setup default mountpoint for 9p shared dir
mount -t 9p -otrans=virtio -oversion=9p2000.L defaultshare /mnt/
From 520a1f913e0716b21b622abc9b51de5461d39529 Mon Sep 17 00:00:00 2001
From: Justin Vreeland
Date: Fri, 1 Nov 2024 09:25:24 -0700
Subject: [PATCH 137/211] py3-ml-metadata.yaml: Add openssf-options
---
py3-ml-metadata.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/py3-ml-metadata.yaml b/py3-ml-metadata.yaml
index 2a837196502..17f465a5e62 100644
--- a/py3-ml-metadata.yaml
+++ b/py3-ml-metadata.yaml
@@ -1,7 +1,7 @@
package:
name: py3-ml-metadata
version: 1.16.0
- epoch: 3
+ epoch: 4
description: For recording and retrieving metadata associated with ML developer and data scientist workflows.
copyright:
- license: MIT
From 68e7f5168aa7e6e9e813540b00f2bd834978cf5b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:03:21 +0000
Subject: [PATCH 138/211] terragrunt/0.69.13 package update (#36922)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
terragrunt.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/terragrunt.yaml b/terragrunt.yaml
index f8520e35108..c746bd65ffe 100644
--- a/terragrunt.yaml
+++ b/terragrunt.yaml
@@ -1,6 +1,6 @@
package:
name: terragrunt
- version: 0.69.12
+ version: 0.69.13
epoch: 0
description: Thin wrapper for Terraform providing extra tools
copyright:
@@ -21,7 +21,7 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: 521d95fbc561d35ed0d847e56d16f1021128f005
+ expected-commit: 38ceae28c17dd78e83181a6e3655032744730c56
repository: https://github.com/gruntwork-io/terragrunt
tag: v${{package.version}}
From ca97c9b85adaa1be8911700a5924f2c499f8779a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:03:34 +0000
Subject: [PATCH 139/211] spqr/2.1.0-r0: cve remediation (#36919)
spqr/2.1.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/spqr.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
spqr.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/spqr.yaml b/spqr.yaml
index 682f540a186..734fbc8c638 100644
--- a/spqr.yaml
+++ b/spqr.yaml
@@ -1,7 +1,7 @@
package:
name: spqr
version: 2.1.0
- epoch: 0
+ epoch: 1
description: Stateless Postgres Query Router
copyright:
- license: BSD-2-Clause
@@ -25,6 +25,10 @@ pipeline:
expected-commit: 51c4c60a701ed9e42fd0570d22a5176fef8f8a5d
tag: ${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- runs: |
make build
mkdir -p ${{targets.destdir}}/usr/bin
From f7b0763841840416de3de3a1291c9dbb3c109866 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:03:51 +0000
Subject: [PATCH 140/211] spiffe-helper/0.9.0-r0: cve remediation (#36918)
spiffe-helper/0.9.0-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/spiffe-helper.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
spiffe-helper.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/spiffe-helper.yaml b/spiffe-helper.yaml
index d60550e443a..49d4f157739 100644
--- a/spiffe-helper.yaml
+++ b/spiffe-helper.yaml
@@ -1,7 +1,7 @@
package:
name: spiffe-helper
version: 0.9.0
- epoch: 0
+ epoch: 1
description: A helper utility for SPIFFE (Secure Production Identity Framework For Everyone) operations.
copyright:
- license: Apache-2.0
@@ -13,6 +13,10 @@ pipeline:
expected-commit: 71c089743733add8c6d36a3a15c12f1b16b9b21a
tag: v${{package.version}}
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: "./cmd/spiffe-helper"
From dd30eadb7cd82b88ad5fa87ef8d1848d14c50197 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:04:15 +0000
Subject: [PATCH 141/211] py3-openai/1.57.4 package update (#36921)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
py3-openai.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/py3-openai.yaml b/py3-openai.yaml
index 0dd7a046452..1be25569b26 100644
--- a/py3-openai.yaml
+++ b/py3-openai.yaml
@@ -1,8 +1,8 @@
# Generated from https://pypi.org/project/openai/
package:
name: py3-openai
- version: 1.57.3
- epoch: 1
+ version: 1.57.4
+ epoch: 0
description: Python client library for the OpenAI API
copyright:
- license: MIT
@@ -39,7 +39,7 @@ pipeline:
with:
repository: https://github.com/openai/openai-python.git
tag: v${{package.version}}
- expected-commit: 0ae6f6b0ce55b6a9dd7e5caa684dfae2780c0088
+ expected-commit: e94d98e9bf97a5d2d02d79d58f2abdbab26ff2bd
subpackages:
- range: py-versions
From 380d61030b087621f582d55f373cbaa9c890960d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:04:27 +0000
Subject: [PATCH 142/211] oauth2-proxy/7.7.1-r0: cve remediation (#36913)
oauth2-proxy/7.7.1-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/oauth2-proxy.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
oauth2-proxy.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/oauth2-proxy.yaml b/oauth2-proxy.yaml
index ae3d42dea19..61838b5631a 100644
--- a/oauth2-proxy.yaml
+++ b/oauth2-proxy.yaml
@@ -1,7 +1,7 @@
package:
name: oauth2-proxy
version: 7.7.1
- epoch: 0
+ epoch: 1
description: Reverse proxy and static file server that provides authentication using various providers to validate accounts by email, domain or group.
copyright:
- license: MIT
@@ -24,7 +24,7 @@ pipeline:
- uses: go/bump
with:
- deps: github.com/go-jose/go-jose/v3@v3.0.3
+ deps: github.com/go-jose/go-jose/v3@v3.0.3 golang.org/x/crypto@v0.31.0
- uses: go/build
with:
From 65961c77e7632af4dfb17dceb507765e8e14a29a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:04:57 +0000
Subject: [PATCH 143/211] portieris/0.13.22-r0: cve remediation (#36916)
portieris/0.13.22-r0: fix GHSA-v778-237x-gjrc
Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/portieris.advisories.yaml
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
portieris.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/portieris.yaml b/portieris.yaml
index f1ca6e5c330..d12645ad60c 100644
--- a/portieris.yaml
+++ b/portieris.yaml
@@ -1,7 +1,7 @@
package:
name: portieris
version: 0.13.22
- epoch: 0
+ epoch: 1
description: A Kubernetes Admission Controller for verifying image trust.
copyright:
- license: Apache-2.0
@@ -17,6 +17,10 @@ pipeline:
tag: v${{package.version}}
expected-commit: ad0725d34f9ee1aa18078ab2ba624dee26dafba9
+ - uses: go/bump
+ with:
+ deps: golang.org/x/crypto@v0.31.0
+
- uses: go/build
with:
packages: "./cmd/portieris"
From aa9aee9e34cdb46ea3e0f1c49da7b3f40cb5fc5a Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 22:40:27 +0530
Subject: [PATCH 144/211] gitea/1.22.6 package update (#36837)
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: Debasish Biswas
---
gitea.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gitea.yaml b/gitea.yaml
index 35ca01242c6..056441a1964 100644
--- a/gitea.yaml
+++ b/gitea.yaml
@@ -1,6 +1,6 @@
package:
name: gitea
- version: 1.22.5
+ version: 1.22.6
epoch: 0
description: self-hosted git service
copyright:
@@ -19,7 +19,7 @@ environment:
pipeline:
- uses: git-checkout
with:
- expected-commit: c0092af2e01c15d806435b9c4916a61415483e24
+ expected-commit: 8eefa1f6dedf2488db2c9e12c916e8e51f673160
repository: https://github.com/go-gitea/gitea
tag: v${{package.version}}
From 49cdbdd4398a667a3e14e31816d2fa34719fb382 Mon Sep 17 00:00:00 2001
From: Mark McCormick
Date: Fri, 13 Dec 2024 17:14:04 +0000
Subject: [PATCH 145/211] kubernetes-latest: bump to kubernetes 1.32 (#36749)
Latest Kubernetes is v1.32:
- https://github.com/wolfi-dev/os/pull/36719
As per internal runbook, bumping version here to match. Example of
previous upgrade: https://github.com/wolfi-dev/os/pull/26288
Signed-off-by: Mark McCormick
From 6769837ff85e0a2830ee4787c4f0d922a80fb36b Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:19:44 -0500
Subject: [PATCH 146/211] terraform-provider-aws/5.81.0 package update (#36655)
Package update.
Remove patch no longer needed - dep is already at the version that was
being patched
---------
---------
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Signed-off-by: Mark McCormick
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: Mark McCormick
---
terraform-provider-aws.yaml | 13 +++----------
terraform-provider-aws/GHSA-v778-237x-gjrc.patch | 13 -------------
2 files changed, 3 insertions(+), 23 deletions(-)
delete mode 100644 terraform-provider-aws/GHSA-v778-237x-gjrc.patch
diff --git a/terraform-provider-aws.yaml b/terraform-provider-aws.yaml
index 27f81baa0d5..26db7bdaedc 100644
--- a/terraform-provider-aws.yaml
+++ b/terraform-provider-aws.yaml
@@ -1,7 +1,7 @@
package:
name: terraform-provider-aws
- version: 5.80.0
- epoch: 1
+ version: 5.81.0
+ epoch: 0
description: Terraform AWS provider
copyright:
- license: MPL-2.0
@@ -19,14 +19,7 @@ pipeline:
with:
repository: https://github.com/hashicorp/terraform-provider-aws
tag: v${{package.version}}
- expected-commit: 9273b07bad89e6aa730482f3a8fc7840b38b9d68
-
- # At the time of writing (12/24), we can't use go/bump on this project, due
- # to 'godebug' directive being defined in the go.mod. We'll need updates to
- # go/bump to handle this - internal DYDX ticket filed.
- - uses: patch
- with:
- patches: GHSA-v778-237x-gjrc.patch
+ expected-commit: c38d7c284d0684653d53452eb1f9dd3e65b905fd
- runs: go mod tidy
diff --git a/terraform-provider-aws/GHSA-v778-237x-gjrc.patch b/terraform-provider-aws/GHSA-v778-237x-gjrc.patch
deleted file mode 100644
index bb9fbb53384..00000000000
--- a/terraform-provider-aws/GHSA-v778-237x-gjrc.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/go.mod b/go.mod
-index 31209aa041..68f75297f4 100644
---- a/go.mod
-+++ b/go.mod
-@@ -299,7 +299,7 @@ require (
- github.com/mitchellh/mapstructure v1.5.0
- github.com/pquerna/otp v1.4.0
- github.com/shopspring/decimal v1.4.0
-- golang.org/x/crypto v0.29.0
-+ golang.org/x/crypto v0.31.0
- golang.org/x/mod v0.22.0
- golang.org/x/text v0.20.0
- golang.org/x/tools v0.27.0
From 12c2c3cc993b5a9c19f3b778c5a0aef15392cb1d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 22:51:18 +0530
Subject: [PATCH 147/211] boost/1.87.0 package update (#36440)
Automated package update - patches were failing to apply.
These changes look to be in the latest release, so we don't need to
cherry-pick them anymore.
-----------
---------
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Signed-off-by: Mark McCormick
Co-authored-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Co-authored-by: Mark McCormick
---
boost.yaml | 12 +-
...16b5b76e9132eba78a399af9c95ec8d23bd4.patch | 62 ------
...e9b4a749a77c24facf2da44f01e032c40842.patch | 184 ------------------
3 files changed, 3 insertions(+), 255 deletions(-)
delete mode 100644 boost/c98516b5b76e9132eba78a399af9c95ec8d23bd4.patch
delete mode 100644 boost/cd21e9b4a749a77c24facf2da44f01e032c40842.patch
diff --git a/boost.yaml b/boost.yaml
index 55efa9c6db3..934f2d6268e 100644
--- a/boost.yaml
+++ b/boost.yaml
@@ -1,7 +1,7 @@
package:
name: boost
- version: 1.86.0
- epoch: 2
+ version: 1.87.0
+ epoch: 0
description: "Free peer-reviewed portable C++ source libraries"
copyright:
- license: "BSL-1.0"
@@ -59,13 +59,7 @@ pipeline:
- uses: fetch
with:
uri: https://boostorg.jfrog.io/artifactory/main/release/${{package.version}}/source/boost_${{vars.mangled-package-version}}.tar.gz
- expected-sha256: 2575e74ffc3ef1cd0babac2c1ee8bdb5782a0ee672b1912da40e5b4b591ca01f
-
- # Apply patches to fix build https://github.com/boostorg/bcp/pull/18
- - runs: |
- cd ./tools/bcp
- patch -p1 < ../../c98516b5b76e9132eba78a399af9c95ec8d23bd4.patch
- patch -p1 < ../../cd21e9b4a749a77c24facf2da44f01e032c40842.patch
+ expected-sha256: f55c340aa49763b1925ccf02b2e83f35fdcf634c9d5164a2acb87540173c741d
- runs: |
abiflags="$(python3-config --abiflags)"
diff --git a/boost/c98516b5b76e9132eba78a399af9c95ec8d23bd4.patch b/boost/c98516b5b76e9132eba78a399af9c95ec8d23bd4.patch
deleted file mode 100644
index 2f0f6252ff8..00000000000
--- a/boost/c98516b5b76e9132eba78a399af9c95ec8d23bd4.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From c98516b5b76e9132eba78a399af9c95ec8d23bd4 Mon Sep 17 00:00:00 2001
-From: Andrey Semashev
-Date: Sun, 24 Mar 2024 15:43:33 +0300
-Subject: [PATCH] Updated list of special dependencies.
-
----
- add_path.cpp | 16 ++++++----------
- 1 file changed, 6 insertions(+), 10 deletions(-)
-
-diff --git a/add_path.cpp b/add_path.cpp
-index 747bb8c..9ae43c9 100644
---- a/add_path.cpp
-+++ b/add_path.cpp
-@@ -196,12 +196,6 @@ void bcp_implementation::add_file(const fs::path& p)
- //
- static const std::pair
- specials[] = {
-- std::pair("tools/build/src/kernel/modules.jam", "libs/predef/check"),
-- std::pair("tools/build/src/kernel/modules.jam", "libs/predef/tools"),
-- std::pair("tools/build/src/kernel/modules.jam", "tools/boost_install/boost-install.jam"),
-- std::pair("tools/build/src/kernel/modules.jam", "tools/boost_install/boost-install-dirs.jam"),
-- std::pair("tools/build/src/kernel/modules.jam", "tools/boost_install/Jamfile"),
-- std::pair("tools/build/src/kernel/modules.jam", "libs/headers"),
- std::pair("libs/test/build/Jamfile.v2", "libs/timer/src"),
- std::pair("libs/test/build/Jamfile.v2", "libs/timer/build"),
- std::pair("boost/atomic/capabilities.hpp", "boost/atomic/detail"),
-@@ -226,14 +220,14 @@ static const std::pair
- std::pair("libs/thread/build", "boost/system"),
- std::pair("libs/thread/build", "boost/cerrno.hpp"),
- std::pair("libs/thread/build", "boost/chrono"),
-- std::pair("boost/filesystem/convenience.hpp", "boost/filesystem.hpp"),
-+ std::pair("boost/filesystem/cstdio.hpp", "boost/filesystem.hpp"),
-+ std::pair("boost/filesystem/directory.hpp", "boost/filesystem.hpp"),
- std::pair("boost/filesystem/exception.hpp", "boost/filesystem.hpp"),
- std::pair("boost/filesystem/fstream.hpp", "boost/filesystem.hpp"),
- std::pair("boost/filesystem/operations.hpp", "boost/filesystem.hpp"),
-+ std::pair("boost/filesystem/file_status.hpp", "boost/filesystem.hpp"),
- std::pair("boost/filesystem/path.hpp", "boost/filesystem.hpp"),
- std::pair("boost/filesystem.hpp", "libs/filesystem/build"),
-- std::pair("boost/filesystem.hpp", "libs/filesystem/v2"),
-- std::pair("boost/filesystem.hpp", "libs/filesystem/v3"),
- std::pair("boost/config.hpp", "boost/config"),
- std::pair("tools/build/bootstrap.sh", "libs/config/checks"),
- std::pair("tools/build/bootstrap.sh", "libs/config/test"),
-@@ -242,6 +236,7 @@ static const std::pair
- std::pair("tools/build/bootstrap.sh", "tools/boost_install/BoostDetectToolset.cmake"),
- std::pair("tools/build/bootstrap.sh", "tools/boost_install/boost-install.jam"),
- std::pair("tools/build/bootstrap.sh", "tools/boost_install/boost-install-dirs.jam"),
-+ std::pair("tools/build/bootstrap.sh", "tools/boost_install/Jamfile"),
- std::pair("tools/build/bootstrap.sh", "boostcpp.jam"),
- std::pair("tools/build/bootstrap.sh", "project-config.jam"),
- std::pair("tools/build/bootstrap.sh", "bootstrap.bat"),
-@@ -271,7 +266,8 @@ static const std::pair
- std::pair("boost/test/detail/config.hpp", "libs/test/src"),
- std::pair("boost/test/detail/config.hpp", "libs/test/build"),
- std::pair("boost/test/detail/config.hpp", "libs/predef/build.jam"),
-- std::pair("boost/test/detail/config.hpp", "libs/predef/check"),
-+ std::pair("boost/test/detail/config.hpp", "libs/predef/tools/check"),
-+ std::pair("boost/test/detail/config.hpp", "libs/predef/check"), // libs/predef/check if obsolete, but may still be used
- std::pair("boost/typeof.hpp", "boost/typeof/incr_registration_group.hpp"),
- std::pair("boost/function_types/detail/pp_loop.hpp", "boost/function_types/detail/pp_cc_loop"),
- std::pair("boost/function_types/components.hpp", "boost/function_types/detail/components_impl"),
diff --git a/boost/cd21e9b4a749a77c24facf2da44f01e032c40842.patch b/boost/cd21e9b4a749a77c24facf2da44f01e032c40842.patch
deleted file mode 100644
index e45881c204f..00000000000
--- a/boost/cd21e9b4a749a77c24facf2da44f01e032c40842.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From cd21e9b4a749a77c24facf2da44f01e032c40842 Mon Sep 17 00:00:00 2001
-From: Andrey Semashev
-Date: Sun, 24 Mar 2024 14:49:18 +0300
-Subject: [PATCH] Remove usage of deprecated and removed Boost.Filesystem APIs.
-
----
- add_dependent_lib.cpp | 5 +++--
- add_path.cpp | 30 +++++++++++++++---------------
- bcp_imp.hpp | 1 +
- copy_path.cpp | 8 ++++----
- file_types.cpp | 2 +-
- 5 files changed, 24 insertions(+), 22 deletions(-)
-
-diff --git a/add_dependent_lib.cpp b/add_dependent_lib.cpp
-index 4852914..521b70d 100644
---- a/add_dependent_lib.cpp
-+++ b/add_dependent_lib.cpp
-@@ -15,6 +15,7 @@
- #include "bcp_imp.hpp"
- #include "fileview.hpp"
- #include
-+#include
- #include
- #include
- #include
-@@ -43,12 +44,12 @@ static void init_library_scanner(const fs::path& p, bool cvs_mode, const std::st
- //
- // Don't add files created by build system:
- //
-- if((p.leaf() == "bin") || (p.leaf() == "bin-stage"))
-+ if((p.filename() == "bin") || (p.filename() == "bin-stage"))
- return;
- //
- // Don't add version control directories:
- //
-- if((p.leaf() == "CVS") || (p.leaf() == ".svn"))
-+ if((p.filename() == "CVS") || (p.filename() == ".svn"))
- return;
- //
- // don't add directories not under version control:
-diff --git a/add_path.cpp b/add_path.cpp
-index 8a1fee3..747bb8c 100644
---- a/add_path.cpp
-+++ b/add_path.cpp
-@@ -15,6 +15,7 @@
- #include "bcp_imp.hpp"
- #include "fileview.hpp"
- #include
-+#include
- #include
- #include
- #include
-@@ -24,8 +25,7 @@ void bcp_implementation::add_path(const fs::path& p)
- {
- if (m_excluded.find(p) != m_excluded.end())
- return;
-- fs::path normalized_path = p;
-- normalized_path.normalize();
-+ fs::path normalized_path = p.lexically_normal();
- if(fs::exists(m_boost_path / normalized_path))
- {
- if(fs::is_directory(m_boost_path / normalized_path))
-@@ -45,12 +45,12 @@ void bcp_implementation::add_directory(const fs::path& p)
- //
- // Don't add files created by build system:
- //
-- if((p.leaf() == "bin") || (p.leaf() == "bin-stage"))
-+ if((p.filename() == "bin") || (p.filename() == "bin-stage"))
- return;
- //
- // Don't add version control directories:
- //
-- if((p.leaf() == "CVS") || (p.leaf() == ".svn"))
-+ if((p.filename() == "CVS") || (p.filename() == ".svn"))
- return;
- //
- // don't add directories not under version control:
-@@ -180,7 +180,7 @@ void bcp_implementation::add_file(const fs::path& p)
- {
- // only concatonate if it's a relative path
- // rather than a URL:
-- fs::path dep(p.branch_path() / s);
-+ fs::path dep(p.parent_path() / s);
- if(!m_dependencies.count(dep))
- {
- m_dependencies[dep] = p; // set up dependency tree
-@@ -355,13 +355,13 @@ void bcp_implementation::add_file_dependencies(const fs::path& p, bool scanfile)
- continue;
- }
- include_file = i->str();
-- fs::path test_file(m_boost_path / p.branch_path() / include_file);
-- if(fs::exists(test_file) && !fs::is_directory(test_file) && (p.branch_path().string() != "boost"))
-+ fs::path test_file(m_boost_path / p.parent_path() / include_file);
-+ if(fs::exists(test_file) && !fs::is_directory(test_file) && (p.parent_path().string() != "boost"))
- {
-- if(!m_dependencies.count(p.branch_path() / include_file))
-+ if(!m_dependencies.count(p.parent_path() / include_file))
- {
-- m_dependencies[p.branch_path() / include_file] = p;
-- add_pending_path(p.branch_path() / include_file);
-+ m_dependencies[p.parent_path() / include_file] = p;
-+ add_pending_path(p.parent_path() / include_file);
- }
- }
- else if(fs::exists(m_boost_path / include_file))
-@@ -405,13 +405,13 @@ void bcp_implementation::add_file_dependencies(const fs::path& p, bool scanfile)
- ++i;
- continue;
- }
-- fs::path test_file(m_boost_path / p.branch_path() / include_file);
-- if(fs::exists(test_file) && !fs::is_directory(test_file) && (p.branch_path().string() != "boost"))
-+ fs::path test_file(m_boost_path / p.parent_path() / include_file);
-+ if(fs::exists(test_file) && !fs::is_directory(test_file) && (p.parent_path().string() != "boost"))
- {
-- if(!m_dependencies.count(p.branch_path() / include_file))
-+ if(!m_dependencies.count(p.parent_path() / include_file))
- {
-- m_dependencies[p.branch_path() / include_file] = p;
-- add_pending_path(p.branch_path() / include_file);
-+ m_dependencies[p.parent_path() / include_file] = p;
-+ add_pending_path(p.parent_path() / include_file);
- }
- }
- else if(fs::exists(m_boost_path / include_file))
-diff --git a/bcp_imp.hpp b/bcp_imp.hpp
-index e515581..51c85ba 100644
---- a/bcp_imp.hpp
-+++ b/bcp_imp.hpp
-@@ -14,6 +14,7 @@
- #include
- #include