upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-26 17:49:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
vault/physical/manta
History
Vault Automation 4e4119a02f
Backport [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx into ce/main 
* [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx

This PR has a set of fairly complex dependency bumps to resolve GHSA-j88v-2chj-qfwx. For the third time in about six weeks, we've had to deal with CVEs in old and unsupported versions of `jackc/pgx`. These changes are for us to rid ourselves of those transitive dependencies completely.

First, we get rid `jackc/pgx/v4` by bumping `cloud.google.com/go/cloudsqlconn` to `v1.21.0`, which pulls in `v5`.

Next, we have to get rid of `jackc/pgx v3`, which was brought in via chain of `hashicorp/go-discover` -> `joyent/triton-go` -> `jackc/pgx/v3`. First, we updated `go-discover` to pull in the v2 module of `triton-go` from the modern upstream ([0], [1]) and pin to it. Then we update our own manta support to pull in the v2 module. Finally, we replace the `TritonDataCenter/triton-go` module with a fork that removes an unnecessary dep on `pgx/v3`.[2]

[0]: https://github.com/hashicorp/go-discover/pull/326
[1]: https://github.com/hashicorp/go-discover/pull/332
[2]: https://github.com/TritonDataCenter/triton-go/pull/207

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-05-15 12:10:10 -06:00
..
manta.go Backport [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx into ce/main 2026-05-15 12:10:10 -06:00
manta_test.go Backport [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx into ce/main 2026-05-15 12:10:10 -06:00