deps: upgrade to Go 1.22.5 to fix vulnerabilities #90
Conversation
|
That vulnerability does not affect this application. I run weekly govulncheck's that avoid false negatives and wasted time and effort. https://github.com/itzg/mc-monitor/actions/runs/9824443576/job/27218087754#step:2:150 And I just now re-ran it to be sure. |
|
I only ever respond to the poor security rating of my Docker images here. |
|
Renovate automatically builds a new Docker image for me when a dependency has a new release that is intended to solve a CVE. |
How does Renovate know that mc-monitor, etc is a dependency of your image? Looking at the docs it seems to only do what dependabot does which is look at base image semantic versions. Meanwhile, I'm quite frustrated with the mismatch in philosophy of docker scout and govulncheck. I guess running govulncheck is pointless if docker scout is going to flag false negatives anyway. |
|
Sorry for taking my frustration out on you. I'll merge this PR and cut a release, but I'm still not happy about the govulncheck vs docker scout thing. |
|
https://git.strausmann.de/minecraft/bedrock-connect/-/blob/main/renovate.json?ref_type=heads I made this possible with the config. have focused on the configuration of home assistant addons. in my test last week it had worked. tonight I will see if it is detected correctly. |
I can understand that this different test produces unnecessary work. |
Thanks! That's exactly the customization I was hoping you were using. |
HIGH: https://pkg.go.dev/vuln/GO-2024-2963