Summary
v4.6.0 (released 2026-02-14) is currently flagging 17 HIGH and 2 CRITICAL CVEs (trivy DB as of 2026-05-12). From what we can see, all of them already have fixes available upstream, so this looks like something an image rebuild could address rather than needing a source change.
How to reproduce
trivy image registry.k8s.io/git-sync/git-sync:v4.6.0 --severity HIGH,CRITICAL --ignore-unfixed
| Layer |
HIGH |
CRITICAL |
| debian trixie (13.3) base packages |
13 |
2 |
git-sync Go binary (Go 1.25.7) |
4 |
0 |
The CRITICAL is CVE-2026-31789 in openssl/libssl3t64. The 4 Go stdlib CVEs (CVE-2026-25679, CVE-2026-32280/32281/32283) appear to be fixed in Go 1.25.9 / 1.26.2. The Debian CVEs all have fixes in the current trixie security suite.
Ask
We understand from RELEASING.md that releases are manual and on a flexible cadence — totally fair, this isn't a complaint. Would the maintainers be able to share a rough sense of when a v4.6.x rebuild (or v4.7) addressing these is likely? Even a "weeks vs months" hint would help us plan internally.
In the meantime we're rebuilding v4.6.0 locally against current Go and base packages so our downstream stays scanner-clean. If a small patch PR (e.g. a Go toolchain bump in Makefile) would help shorten the gap, happy to send one.
Thanks for maintaining git-sync.
Summary
v4.6.0 (released 2026-02-14) is currently flagging 17 HIGH and 2 CRITICAL CVEs (trivy DB as of 2026-05-12). From what we can see, all of them already have fixes available upstream, so this looks like something an image rebuild could address rather than needing a source change.
How to reproduce
git-syncGo binary (Go 1.25.7)The CRITICAL is
CVE-2026-31789inopenssl/libssl3t64. The 4 Go stdlib CVEs (CVE-2026-25679,CVE-2026-32280/32281/32283) appear to be fixed in Go 1.25.9 / 1.26.2. The Debian CVEs all have fixes in the current trixie security suite.Ask
We understand from
RELEASING.mdthat releases are manual and on a flexible cadence — totally fair, this isn't a complaint. Would the maintainers be able to share a rough sense of when a v4.6.x rebuild (or v4.7) addressing these is likely? Even a "weeks vs months" hint would help us plan internally.In the meantime we're rebuilding v4.6.0 locally against current Go and base packages so our downstream stays scanner-clean. If a small patch PR (e.g. a Go toolchain bump in
Makefile) would help shorten the gap, happy to send one.Thanks for maintaining git-sync.