https://pulumi.com logo
Join Slack
Powered by
Hello! Just wondering if there's an ETA on new `pu...
# general
c
Hello! Just wondering if there's an ETA on new 
pulumi-aws
and 
pulumi-std
releases that bump go dependencies that have CVEs? We are required to address the CVEs within a timeframe so an estimate would be much appreciated! I can see that a MR has been merged to main for 
pulumi-aws
https://github.com/pulumi/pulumi-aws/pull/3223 but there is still one open for `pulumi-std`: https://github.com/pulumi/pulumi-std/pull/39
e
Shortly I'd hope, looks like it just needs some workflows updating to use a more recent Go version
c
Thank you so much, appreciate all the great work!
e
c
Awesome! Any chance we could push this out too? https://github.com/pulumi/pulumi-aws/pull/3237
e
Release should happen today for that
c
Thank you @echoing-dinner-19531! Just checking if these should have also been updated as well: pulumi/pulumi https://github.com/pulumi/pulumi/pull/15078 pulumi/pulumi-aws https://github.com/pulumi/pulumi-aws/blob/master/provider/go.mod#L194 https://github.com/pulumi/pulumi-aws/blob/main/provider/go.mod#L210
e
The pulumi PR is just for tests, so shouldn't really matter. The aws one should get updated but it shouldn't show up as a dependency in user programs.
c
Ah I see - weirdly we're still seeing these dependencies in our security scan using the latest releases
e
yeh we'll need to ensure this is updated through all the binary packages as well. aws might take a bit because it will need a pulumi release first probably, but the others we can take a look at today.
c
Thanks Fraser and the team 🙂
👋 Any updates on the aws release?
e
c
I think 6.18.0 still contains the old dependecies
e
Yeh, sorry most of engineering has been at planning meetings this week so slow progress. I'll make sure this gets seen so it gets picked up though.
c
No worries, thank you for the update!
Friendly bump on this 🙌
e
Weekend and Monday was MLK day so none of engineering has been in. This should get picked up in the CLI release this week and then aws should pick that up soon after.
c
Ah I see! Thank you Fraser, enjoy your evening!
e
Updates for this to pulumi/pulumi have merged: https://github.com/pulumi/pulumi/pull/15151 So this will be in the release tomorrow. I'll check aws updates fully after that.
c
Thanks again, much appreciated!
I see that there's a new release for pulumi/pulumi, are aws updates following soon?
e
Yeh they should be mostly on an automatic schedule afaik but I'll double check
It's planned to be out as soon as possible, just been some issues getting it out
c
Updated the packages and no more CVEs 🙌 thank you for all your help Fraser!
7 Views
Open in Slack
PreviousNext
Powered by