From ce44887743ea8cda5973f15bfa39cf688b06feab Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Wed, 11 Dec 2024 20:31:51 -0500
Subject: [PATCH] spegel/0.0.27-r0: cve remediation (#35698)

Automated commit attempted to bump quic-go dependnecy to remediate
GHSA-px8v-pp82-rcvr. However the latest version of quic-go, also
required another dependency (go-libp2p) to be upgraded.

The good news, upstream already made similar changes in main as part of:
https://github.com/spegel-org/spegel/pull/659, they just haven't made it
into a release yet.

---------------


spegel/0.0.27-r0: fix GHSA-px8v-pp82-rcvr

Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/spegel.advisories.yaml

---------

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
Co-authored-by: Mark McCormick <mark.mccormick@chainguard.dev>
---
 spegel.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/spegel.yaml b/spegel.yaml
index e04416d0d83..571f6ab1ff2 100644
--- a/spegel.yaml
+++ b/spegel.yaml
@@ -1,7 +1,7 @@
 package:
   name: spegel
   version: 0.0.27
-  epoch: 0
+  epoch: 1
   description: Stateless cluster local OCI registry mirror.
   copyright:
     - license: Apache-2.0
@@ -20,6 +20,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 9237bce5f337fb5362984b5206f7dfb7fbf3aa5d
 
+  - uses: go/bump
+    with:
+      deps: github.com/quic-go/quic-go@v0.48.2 github.com/libp2p/go-libp2p@v0.37.2
+
   - uses: go/build
     with:
       packages: ./