Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade go-getter dependency in cosmovisor and x/upgrade #20525

Closed
julienrbrt opened this issue Jun 3, 2024 · 0 comments · Fixed by #20573
Closed

Upgrade go-getter dependency in cosmovisor and x/upgrade #20525

julienrbrt opened this issue Jun 3, 2024 · 0 comments · Fixed by #20573
Assignees
Labels
C:Cosmovisor Issues and PR related to Cosmovisor dependencies Pull requests that update a dependency file

Comments

@julienrbrt
Copy link
Member

Cosmovisor v1.5.0 currently uses x/upgrade v0.0.0-20230614103911-b3da8bb4e801
We need to bump go-getter in x/upgrade of release/v0.50.x and make cosmovisor use that version.

This is because the current go-getter version cosmovisor (up to 1.5.0) is lower than 1.7.4, which is vulnerable to this: GHSA-q64h-39hv-4cf7.

Making it vulnerable to malicious upgrade proposals with git urls (which would hardly pass, and ever get executed, but we should still fix it).

ref: #20067

@julienrbrt julienrbrt added dependencies Pull requests that update a dependency file C:Cosmovisor Issues and PR related to Cosmovisor labels Jun 3, 2024
@julienrbrt julienrbrt self-assigned this Jun 3, 2024
@github-project-automation github-project-automation bot moved this to 📋 Backlog in Cosmos-SDK Jun 3, 2024
@github-project-automation github-project-automation bot moved this from 📋 Backlog to 🥳 Done in Cosmos-SDK Jun 6, 2024
@tac0turtle tac0turtle removed this from Cosmos-SDK Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C:Cosmovisor Issues and PR related to Cosmovisor dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant