Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bump dependencies & docker base images (#434)
During a recent CVE scan we found envoyproxy to use `alpine:3.18` as the final image ``` grype envoyproxy/ratelimit:59565c87 ✔ Vulnerability DB [no update available] ✔ Pulled image ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [57 packages] ✔ Scanning image... [4 vulnerabilities] ├── 0 critical, 3 high, 1 medium, 0 low, 0 negligible └── 2 fixed NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High ``` Since docker image tags are derived from the git commit sha, triggering a rebuild of the image as is (which implicitly would use alpine:3.18.2 and golang:1.20.5) would result in the image getting replaced with the same commit sha. Instead, we're explicitly setting the version numbers to ensure any version update is tied to a commit. Signed-off-by: Jonas-Taha El Sesiy <[email protected]>
- Loading branch information