Skip to content

Update vulnerable dependencies#86

Merged
tamalsaha merged 1 commit into
masterfrom
fix-dependabot-vulns
Jun 21, 2026
Merged

Update vulnerable dependencies#86
tamalsaha merged 1 commit into
masterfrom
fix-dependabot-vulns

Conversation

@tamalsaha

Copy link
Copy Markdown
Contributor

Resolves open Dependabot security alerts by bumping dependencies to (or past) their first patched versions:

Package To Severity
github.com/gohugoio/hugo v0.162.0 medium
github.com/moby/spdystream v0.5.1 high
go.opentelemetry.io/otel v1.43.0 (>= v1.41.0) high
golang.org/x/image v0.41.0 (>= v0.38.0) medium
google.golang.org/grpc v1.80.0 (>= v1.79.3) critical

Bumping hugo to v0.162.0 pulls otel, x/image and grpc up to versions that already include the security fixes. go mod tidy && go mod vendor run; go build ./... passes.

Fixes Dependabot security alerts:
- github.com/gohugoio/hugo v0.160.1 => v0.162.0
- github.com/moby/spdystream v0.5.0 => v0.5.1 (high)
- golang.org/x/image => v0.41.0 (>= v0.38.0, CVE patched)
- go.opentelemetry.io/otel => v1.43.0 (>= v1.41.0, high)
- google.golang.org/grpc => v1.80.0 (>= v1.79.3, critical)

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit ab81c38 into master Jun 21, 2026
4 checks passed
@tamalsaha tamalsaha deleted the fix-dependabot-vulns branch June 21, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant