From 5c6da692858c5e82af5dcbbd54c684c178c3e18a Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Thu, 7 May 2026 17:12:25 -0600 Subject: [PATCH] go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift (#14581) (#14631) (#14647) * go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift `github.com/apache/thrift` is required for the snowflake plugin. I've updated that upstream[0] so this change is only necessary to get past the scanner until a new version of the snowflake plugin is released and we've updated our pin. Using v0.23.0 was actually not possible since there's an overflow on 32 bit architectures. Instead, we use the first commit since the release that fixes that issue.[1] [0]:https://github.com/hashicorp/vault-plugin-database-snowflake/pull/181 [1]:https://github.com/apache/thrift/pull/3428 Signed-off-by: Ryan Cragun Co-authored-by: Ryan Cragun --- changelog/_14581.txt | 3 +++ go.mod | 4 +++- go.sum | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 changelog/_14581.txt diff --git a/changelog/_14581.txt b/changelog/_14581.txt new file mode 100644 index 0000000000..f0a5c600ed --- /dev/null +++ b/changelog/_14581.txt @@ -0,0 +1,3 @@ +```release-note:security +core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh +``` diff --git a/go.mod b/go.mod index 81d4ba3d39..14ac98f420 100644 --- a/go.mod +++ b/go.mod @@ -244,7 +244,9 @@ require ( require ( github.com/andybalholm/brotli v1.2.0 // indirect - github.com/apache/thrift v0.22.0 // indirect + // We're currently pulling v0.23.0 + a 32 bit fix: https://github.com/apache/thrift/commit/d2acd3c49e5832cb0179f72b111c4ad5bd89c4c5 + // until a new version is release. + github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect github.com/containerd/errdefs v1.0.0 // indirect diff --git a/go.sum b/go.sum index c67f4807b4..3fbb380a8a 100644 --- a/go.sum +++ b/go.sum @@ -186,8 +186,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0= github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14= -github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc= -github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 h1:rDLE+tSW60VzRD7v5I+DU22Mjhmm+mfLc5Xl5dHkx6w= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k=