goreleaser: update advisory #27934

dnegreira · 2025-12-15T16:02:05Z

github.com/sigstore/timestamp-authority is transitive dependencies
pulled in by github.com/sigstore/cosign.

Any attempts to bump timestamp-authority results in build failures.

There is currently a discussion upstream on how to migrate to cosign v3:
goreleaser/goreleaser#6195

Signed-off-by: David Negreira [email protected]

Update advisory for GHSA-4qg8-fj49-pxjh github.com/sigstore/timestamp-authority is transitive dependencies pulled in by github.com/sigstore/cosign. Any attempts to bump timestamp-authority results in build failures. There is currently a discussion upstream on how to migrate to cosign v3: goreleaser/goreleaser#6195 Signed-off-by: David Negreira <[email protected]>

dnegreira enabled auto-merge December 15, 2025 16:02

dnegreira requested a review from a team December 15, 2025 16:02

dnegreira mentioned this pull request Dec 15, 2025

goreleaser/2.13.1-r0: cve remediation wolfi-dev/os#75234

Closed

philroche approved these changes Dec 15, 2025

View reviewed changes

dnegreira added this pull request to the merge queue Dec 15, 2025

Merged via the queue into wolfi-dev:main with commit a75b9a5 Dec 15, 2025
4 checks passed

dnegreira deleted the goreleaser-timestamp-authority branch December 15, 2025 16:33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

goreleaser: update advisory #27934

goreleaser: update advisory #27934

Uh oh!

dnegreira commented Dec 15, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

goreleaser: update advisory #27934

goreleaser: update advisory #27934

Uh oh!

Conversation

dnegreira commented Dec 15, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants