mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
3f1f0ee1fc
## Summary - Bumps `github.com/jackc/pgx/v5` from v5.5.4 to v5.9.2 in `third_party/goval-dictionary/` to resolve critical code scanning alert CVE-2026-33816. **Severity:** Critical (per Trivy/CVE scoring) **Impact:** Low — the vulnerable package (`pgx/v5`) is a PostgreSQL driver, but Fleet only uses goval-dictionary with SQLite. The Postgres code path is never executed. **Fix:** Bump `pgx/v5` from v5.5.4 to v5.9.2 in `third_party/goval-dictionary/go.mod`. No code changes needed. Closes #44699 ## Test plan - [ ] CI passes — only `go.mod` and `go.sum` changed - [ ] Verify Trivy scan no longer flags CVE-2026-33816 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated third-party package dependencies to latest versions for improved compatibility and stability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| goval-dictionary | ||
| vuln-check | ||
| README.md | ||
This directory is for vendored third party libraries. See: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/adr/0004-third-party-vendoring.md