Skip to content

fix: update vulnerable Go dependencies#34

Merged
adityathebe merged 2 commits into
mainfrom
fix/dependabot-alerts
Jul 3, 2026
Merged

fix: update vulnerable Go dependencies#34
adityathebe merged 2 commits into
mainfrom
fix/dependabot-alerts

Conversation

@adityathebe

Copy link
Copy Markdown
Member

Dependabot reported vulnerable transitive Go modules in the batch-runner dependency graph.

This updates duty and related Flanksource dependencies, removes vulnerable pgx/v4 and pgproto3/v2 from the module graph, and bumps patched versions for go-git, x/net, AWS SDK, OpenTelemetry, cert-manager, and other affected modules.

Go tooling references are updated to 1.26 to match the newer dependency requirements.

Dependabot reported vulnerable transitive Go modules through duty and related Flanksource packages.

Bump duty, commons-db, commons-test, artifacts, Go Cloud, Kubernetes, AWS, OpenTelemetry, cert-manager, go-git, and x/net dependencies so the module graph no longer includes the vulnerable versions. Update the Go toolchain references to 1.26 to match the newer dependency requirements.
@adityathebe adityathebe enabled auto-merge (rebase) July 3, 2026 13:38
commons-test v0.1.14 prefixes repository names during InstallOrUpgrade. Passing localstack/localstack caused Helm to resolve localstack/localstack/localstack and fail before the E2E suite ran.

Pass only the chart name so the helper builds the correct localstack/localstack reference.
@adityathebe adityathebe merged commit 81030bd into main Jul 3, 2026
5 checks passed
@adityathebe adityathebe deleted the fix/dependabot-alerts branch July 3, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant