mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-12 00:13:45 +02:00
Code Issues Projects Releases Wiki Activity

go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift (#14581) (#14631) (#14647)

Browse Source 
* go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift

`github.com/apache/thrift` is required for the snowflake plugin. I've
updated that upstream[0] so this change is only necessary to get past
the scanner until a new version of the snowflake plugin is released and
we've updated our pin.

Using v0.23.0 was actually not possible since there's an overflow on 32 bit
architectures. Instead, we use the first commit since the release that fixes
that issue.[1]

[0]:https://github.com/hashicorp/vault-plugin-database-snowflake/pull/181
[1]:https://github.com/apache/thrift/pull/3428

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Vault Automation 2026-05-07 17:12:25 -06:00 committed by GitHub
parent 18a1e1933b
commit 5c6da69285
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/_14581.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
```

4
go.mod
View File

@ -244,7 +244,9 @@ require (
require (
github.com/andybalholm/brotli v1.2.0 // indirect
github.com/apache/thrift v0.22.0 // indirect
// We're currently pulling v0.23.0 + a 32 bit fix: https://github.com/apache/thrift/commit/d2acd3c49e5832cb0179f72b111c4ad5bd89c4c5
// until a new version is release.
github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
github.com/containerd/errdefs v1.0.0 // indirect

4
go.sum
View File

@ -186,8 +186,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0=
github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14=
github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc=
github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g=
github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 h1:rDLE+tSW60VzRD7v5I+DU22Mjhmm+mfLc5Xl5dHkx6w=
github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs=
github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k=