upgrade github.com/hashicorp/go-retryablehttp & deps #35473
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates
github.com/hashicorp/go-retryablehttp
(addressing CVE-2024-6104) & associated dependencies (github.com/hashicorp/go-hclog
andgolang.org/x/sys
).Exposure to this CVE is environment/context-dependent & would require explicit usage of basic auth URLs with Terraform core. This has already been addressed in the
hashicorp/http
provider, where it was perhaps more likely to be exposed, with hashicorp/terraform-provider-http#429 which went out with the 3.4.3 release.hashicorp/go-retryablehttp@v0.7.5...v0.7.7
hashicorp/go-hclog@v1.5.0...v1.6.3
golang/sys@v0.19.0...v0.20.0
This addresses https:/hashicorp/terraform/security/dependabot/64 and replaces #35379.
Target Release
1.9.x
Draft CHANGELOG entry
BUG FIXES