Skip to content

fix: remediate plural-cli deps behind console image vulnerabilities#767

Open
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-console-image-vulns-1761250894000
Open

fix: remediate plural-cli deps behind console image vulnerabilities#767
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-console-image-vulns-1761250894000

Conversation

@plural-copilot

Copy link
Copy Markdown
Contributor

Summary

This remediates vulnerabilities surfaced in ghcr.io/pluralsh/console:sha-ed9877f.

The console image is affected because it embeds the plural binary built from this repository (pluralsh/plural-cli), so the actionable fix belongs here rather than in pluralsh/console.

Dependency updates

  • golang.org/x/crypto: v0.50.0 -> v0.52.0
  • golang.org/x/net: v0.53.0 -> v0.55.0
  • golang.org/x/sys: v0.43.0 -> v0.45.0
  • github.com/containerd/containerd: v1.7.32 -> v1.7.33

Additional compatible transitive refreshes from go mod tidy:

  • golang.org/x/term: v0.42.0 -> v0.43.0
  • golang.org/x/text: v0.36.0 -> v0.37.0

Validation

Because Go is not installed on the host, validation was run with Dockerized Go 1.26.4:

  • go mod verify
  • go build -buildvcs=false ./cmd/plural

I also attempted broader go test coverage, but the larger package sets were too heavy/long-running for this execution environment; CI should provide the full matrix.

Traceability

Workbench job: https://console.plrldemo.onplural.sh/workbenches/dfccef7a-16c5-4125-9538-42f05d751b3e/jobs/f241f436-6869-4faa-9293-42bf973ab304

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create a remediation PR in pluralsh/plural-cli for console-image vulnerabilities....
🔗 Run history View run history

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang.org/​x/​crypto@​v0.50.0 ⏵ v0.52.074 +1100100100100
Updatedgolang.org/​x/​text@​v0.36.0 ⏵ v0.37.077100100100100
Updatedgolang.org/​x/​term@​v0.42.0 ⏵ v0.43.0100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants