https://pulumi.com logo
#general
Title
# general
c

chilly-arm-27023

01/08/2024, 11:45 PM
Hello! Just wondering if there's an ETA on new
pulumi-aws
and
pulumi-std
releases that bump go dependencies that have CVEs? We are required to address the CVEs within a timeframe so an estimate would be much appreciated! I can see that a MR has been merged to main for
pulumi-aws
https://github.com/pulumi/pulumi-aws/pull/3223 but there is still one open for `pulumi-std`: https://github.com/pulumi/pulumi-std/pull/39
e

echoing-dinner-19531

01/09/2024, 12:19 AM
Shortly I'd hope, looks like it just needs some workflows updating to use a more recent Go version
c

chilly-arm-27023

01/09/2024, 12:50 AM
Thank you so much, appreciate all the great work!
e

echoing-dinner-19531

01/09/2024, 1:30 AM
c

chilly-arm-27023

01/09/2024, 1:59 AM
Awesome! Any chance we could push this out too? https://github.com/pulumi/pulumi-aws/pull/3237
e

echoing-dinner-19531

01/09/2024, 6:49 PM
Release should happen today for that
c

chilly-arm-27023

01/10/2024, 3:38 AM
Thank you @echoing-dinner-19531! Just checking if these should have also been updated as well: pulumi/pulumi https://github.com/pulumi/pulumi/pull/15078 pulumi/pulumi-aws https://github.com/pulumi/pulumi-aws/blob/master/provider/go.mod#L194 https://github.com/pulumi/pulumi-aws/blob/main/provider/go.mod#L210
e

echoing-dinner-19531

01/10/2024, 4:46 AM
The pulumi PR is just for tests, so shouldn't really matter. The aws one should get updated but it shouldn't show up as a dependency in user programs.
c

chilly-arm-27023

01/10/2024, 4:55 AM
Ah I see - weirdly we're still seeing these dependencies in our security scan using the latest releases
e

echoing-dinner-19531

01/10/2024, 1:49 PM
yeh we'll need to ensure this is updated through all the binary packages as well. aws might take a bit because it will need a pulumi release first probably, but the others we can take a look at today.
c

chilly-arm-27023

01/10/2024, 10:24 PM
Thanks Fraser and the team 🙂
👋 Any updates on the aws release?
e

echoing-dinner-19531

01/11/2024, 10:30 PM
c

chilly-arm-27023

01/11/2024, 10:32 PM
I think 6.18.0 still contains the old dependecies
e

echoing-dinner-19531

01/12/2024, 2:09 AM
Yeh, sorry most of engineering has been at planning meetings this week so slow progress. I'll make sure this gets seen so it gets picked up though.
c

chilly-arm-27023

01/12/2024, 2:10 AM
No worries, thank you for the update!
Friendly bump on this 🙌
e

echoing-dinner-19531

01/15/2024, 11:05 PM
Weekend and Monday was MLK day so none of engineering has been in. This should get picked up in the CLI release this week and then aws should pick that up soon after.
c

chilly-arm-27023

01/16/2024, 12:14 AM
Ah I see! Thank you Fraser, enjoy your evening!
e

echoing-dinner-19531

01/16/2024, 12:09 PM
Updates for this to pulumi/pulumi have merged: https://github.com/pulumi/pulumi/pull/15151 So this will be in the release tomorrow. I'll check aws updates fully after that.
c

chilly-arm-27023

01/16/2024, 10:22 PM
Thanks again, much appreciated!
I see that there's a new release for pulumi/pulumi, are aws updates following soon?
e

echoing-dinner-19531

01/19/2024, 9:02 AM
Yeh they should be mostly on an automatic schedule afaik but I'll double check
It's planned to be out as soon as possible, just been some issues getting it out
c

chilly-arm-27023

01/21/2024, 10:43 PM
Updated the packages and no more CVEs 🙌 thank you for all your help Fraser!