Update a few dependencies
- Update github.com/hashicorp/vault/api
What we actually want to do is update gopkg.in/square/go-jose.v2 because it is subject to CVE-2024-28180. It is pulled in by github.com/hashicorp/vault/api though:
> go mod why gopkg.in/square/go-jose.v2
gitlab.com/gitlab-org/gitlab-runner/helpers/vault
github.com/hashicorp/vault/api
gopkg.in/square/go-jose.v2/jwt
gopkg.in/square/go-jose.v2
So to update go-josh we need to update hashicorp/vault.
Note that gopkg.in/square/go-jose.v2 is orphaned and has been replaced
with github.com/go-jose/go-jose/v3.
-
Update github.com/docker/docker
The previous version was subject to CVE-2024-24557. -
Update google.golang.org/protobuf
The previous version was subject to CVE-2024-24786.
Fixes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37440+
Edited by Axel von Bertoldi