Skip to content

fix: remediate ORAS dependency vulnerability#772

Open
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-oras-1783008280589
Open

fix: remediate ORAS dependency vulnerability#772
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-oras-1783008280589

Conversation

@plural-copilot

@plural-copilot plural-copilot Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • bump oras.land/oras-go/v2 from v2.6.0 to v2.6.1 in the plural CLI module metadata
  • keep the fix minimal by pinning the existing indirect dependency instead of bumping Helm or helm-push
  • verify with Dockerized Go 1.26.4 that module resolution now selects ORAS v2.6.1 for this build

Why this fixes the vulnerability

The embedded plural CLI in this repository is the source of the console image Go vulnerability finding. The build graph previously selected oras.land/oras-go/v2 v2.6.0 through Helm-related dependencies. Pinning the existing indirect requirement to v2.6.1 makes Go module resolution select the fixed ORAS release for the shipped CLI binary while avoiding broader dependency churn.

Validation

  • inspected go module graph and dependency parents
  • confirmed selected ORAS version resolves to v2.6.1 with Dockerized Go 1.26.4
  • attempted targeted go test ./pkg/pr/... in Dockerized Go 1.26.4, but the dependency-heavy run did not complete within the session budget

Plural Service: mgmt/console

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create a remediation PR in this repository for the actionable ORAS dependency vulnerabilities associated with the ghcr.io/pluralsh/console:sha-e68fbb2 image, which per mapping guidance actually come from the embedded CLI in this repo....
🔗 Run history View run history

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants