Pull request 1003 #1008
Pull request 1003 #1008
Conversation
| @@ -125,6 +127,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC | |||
| github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= | |||
There was a problem hiding this comment.
It looks like this doesn't fully resolve the issue since the vulnerable package is still being pulled in, but go mod why indicates that we are not using this code path since the packages we import are not pulling it in. So I think that is ok.
There was a problem hiding this comment.
@yorinasub17 , Yes I am not sure why it is still pulled.
There was a problem hiding this comment.
Digging into this further, this may actually be pulled in as a transient dependency of the azure-sdk-go version we are currently at: https://github.com/Azure/azure-sdk-for-go/blob/v46.0.0/Gopkg.lock#L31-L37
It looks like this specific dependency was updated in v50.0.0.
I'm not sure how disruptive it is to update the azure-sdk-for-go package, but we should consider updating to that version and above. Let me take a crack at that.
I'll go ahead and kick off a regression build with our test pipeline, and if that passes, I'll merge this in and start a new PR attempting to update the Azure SDK.
|
Thanks for the effort on this by the way! |
Fixes #1003
Closes #1003
This PR updates the Auzre/autorest version to rid of the github.com/dgrijalva/jwt-go.
Link to CI note the failures in the current CI is the same on the Main branch CI .
The failures are are AKS due to this open issue on Azure/AKS. While the remaining are Azure VM related which I am currently investigating and will create issues to track them