Skip to content

chore(deps): bump github.com/sigstore/cosign/v2 to github.com/sigstore/cosign/[email protected] #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DmitriyLewen wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump github.com/sigstore/cosign/v2 to github.com/sigstore/cosign/[email protected] #112

DmitriyLewen wants to merge 1 commit into from

Conversation

@DmitriyLewen
Copy link

@DmitriyLewen DmitriyLewen commented Dec 11, 2025
edited
Loading

Description

This PR bumps github.com/sigstore/cosign/v2 to actual github.com/sigstore/cosign/v3 (v3.0.3).

Cosign didn’t mention any critical or breaking changes, so upgrading shouldn’t cause any problems.

Fix vulnerabilities

github.com/sigstore/cosign/v2 uses vulnerable (CVE-2025-66564) github.com/sigstore/timestamp-authority.
https://github.com/openvex/discovery is also affected:

➜ git:(main) ✗ govulncheck -format openvex ./... | jq '.statements[] | select(.vulnerability.name == "GO-2025-4192")'
{
  "vulnerability": {
    "@id": "https://pkg.go.dev/vuln/GO-2025-4192",
    "name": "GO-2025-4192",
    "description": "Sigstore Timestamp Authority allocates excessive memory during request parsing in github.com/sigstore/timestamp-authority",
    "aliases": [
      "CVE-2025-66564",
      "GHSA-4qg8-fj49-pxjh"
    ]
  },
  "products": [
    {
      "@id": "Unknown Product",
      "subcomponents": [
        {
          "@id": "pkg:golang/github.com%2Fsigstore%[email protected]"
        }
      ]
    }
  ],
  "status": "affected"
}

But in github.com/sigstore/cosign/[email protected] sigstore bumped version of github.com/sigstore/timestamp-authority (to github.com/sigstore/timestamp-authority/[email protected]) - sigstore/cosign#4532

@DmitriyLewen DmitriyLewen force-pushed the chore/deps/bump-cosign-to-v3 branch from 6829cb8 to aaef530 Compare December 11, 2025 11:10
@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 11, 2025 11:12
@knqyf263 knqyf263 mentioned this pull request Jan 7, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DmitriyLewen