mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-04 11:30:58 +08:00
fix(deps): resolve 3 critical Dependabot advisories
- go: bump github.com/jackc/pgx/v5 v5.6.0 -> v5.9.0 (CVE-2026-33815 / CVE-2026-33816, memory-safety in the Postgres driver). govulncheck reports 0 affecting vulnerabilities after the bump. - ci: pin aquasecurity/trivy-action to commit SHA ed142fd (v0.36.0) instead of the mutable @0.28.0 tag (GHSA-69fq-xp46-6x23, brief upstream supply-chain compromise). Dependabot now updates the SHA. - web: bump vitest ^4.0.16 -> ^4.1.0 (lockfile now 4.1.8) for GHSA-5xrq-8626-4rwp (Vitest UI server arbitrary file read/exec; dev-only).
This commit is contained in:
11
.github/workflows/pr-checks.yml
vendored
11
.github/workflows/pr-checks.yml
vendored
@@ -273,12 +273,11 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
# SECURITY: never use @master — upstream compromise = CI compromise.
|
||||
# TODO: pin to a full 40-char SHA from
|
||||
# https://github.com/aquasecurity/trivy-action/releases and configure Dependabot
|
||||
# to keep it current. A version tag is still mutable but is a major upgrade
|
||||
# over @master.
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
# SECURITY: pinned to a full 40-char commit SHA (v0.36.0) — a mutable
|
||||
# version tag could be re-pointed by an upstream compromise (GHSA-69fq-xp46-6x23:
|
||||
# trivy-action's published artifacts were briefly poisoned). The trailing
|
||||
# comment records the human-readable version; Dependabot updates the SHA.
|
||||
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
|
||||
Reference in New Issue
Block a user