Skip to content

gh/2.83.1-r2: cve remediation #75109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 2 commits into from
Dec 12, 2025
Merged

gh/2.83.1-r2: cve remediation #75109

OddBloke merged 2 commits into from
Dec 12, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr gh GHSA-4qg8-fj49-pxjh go/bump request-cve-remediation labels Dec 8, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025
edited
Loading

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System Go/melange
Failure Point go/bump pipeline step during dependency update

Root Cause Analysis 🔍

The Go module github.com/sigstore/timestamp-authority has an invalid version constraint. The module's go.mod file declares itself as version 2 with path 'github.com/sigstore/timestamp-authority/v2', but the requested version v2.0.3 is being resolved against the v1 path 'github.com/sigstore/timestamp-authority'. This is a Go module versioning issue where the module path and version don't align according to Go's semantic import versioning rules.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@OddBloke OddBloke self-assigned this Dec 11, 2025
@OddBloke OddBloke force-pushed the cve-gh-2.83.1-r2-c1efa1a4c43a745cd462d346a286e7d5 branch from ac150d4 to 1c6776b Compare December 11, 2025 21:02
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. approver-bot/manual-review-needed manual/review-needed staging-approver-bot/manual-review-needed labels Dec 11, 2025
@OddBloke OddBloke requested a review from a team December 11, 2025 23:04
@OddBloke OddBloke enabled auto-merge December 11, 2025 23:05
@OddBloke OddBloke merged commit 2c52bc2 into main Dec 12, 2025
21 of 23 checks passed
@OddBloke OddBloke deleted the cve-gh-2.83.1-r2-c1efa1a4c43a745cd462d346a286e7d5 branch December 12, 2025 03:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamie-albert jamie-albert jamie-albert approved these changes

Assignees

@OddBloke OddBloke

Labels

ai/skip-comment Stop AI from commenting on PR approver-bot/manual-review-needed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. gh GHSA-4qg8-fj49-pxjh go/bump manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation staging-approver-bot/manual-review-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jamie-albert @OddBloke