Skip to content

fix(deps): update vulnerable Go modules#39

Merged
adityathebe merged 1 commit into
mainfrom
fix/dependabot-security-updates
Jul 5, 2026
Merged

fix(deps): update vulnerable Go modules#39
adityathebe merged 1 commit into
mainfrom
fix/dependabot-security-updates

Conversation

@adityathebe

Copy link
Copy Markdown
Member

Dependabot reported high, critical, and medium alerts in the root and test Go modules.

Update vulnerable dependencies to patched releases, including OpenTelemetry, golang.org/x modules, go-jose, mapstructure, spdystream, grpc, and Flanksource test dependencies. The PostgREST installer no longer depends on the removed commons/deps package, allowing commons and commons-db to move to versions that avoid the vulnerable pgx v4/pgproto3 v2 chain.

@adityathebe adityathebe force-pushed the fix/dependabot-security-updates branch 2 times, most recently from 55df0e0 to b362d2b Compare July 5, 2026 06:18
Dependabot reported high, critical, and medium alerts across the root and test Go modules. Update patched versions for OpenTelemetry, golang.org/x packages, go-jose, mapstructure, spdystream, grpc, and Flanksource test dependencies so the module graph no longer selects vulnerable releases. Use the standalone github.com/flanksource/deps module for PostgREST installation and align Docker/release builds with Go 1.26.1.
@adityathebe adityathebe force-pushed the fix/dependabot-security-updates branch from b362d2b to 1d2c7c7 Compare July 5, 2026 06:21
@adityathebe adityathebe merged commit 004d012 into main Jul 5, 2026
16 checks passed
@adityathebe adityathebe deleted the fix/dependabot-security-updates branch July 5, 2026 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant