Skip to content

chore(deps): bump github.com/sigstore/cosign/v2 to github.com/sigstore/cosign/v3@v3.0.3#112

Open
DmitriyLewen wants to merge 1 commit intoopenvex:mainfrom
DmitriyLewen:chore/deps/bump-cosign-to-v3
Open

chore(deps): bump github.com/sigstore/cosign/v2 to github.com/sigstore/cosign/v3@v3.0.3#112
DmitriyLewen wants to merge 1 commit intoopenvex:mainfrom
DmitriyLewen:chore/deps/bump-cosign-to-v3

Conversation

@DmitriyLewen
Copy link

@DmitriyLewen DmitriyLewen commented Dec 11, 2025
edited
Loading

Description

This PR bumps github.com/sigstore/cosign/v2 to actual github.com/sigstore/cosign/v3 (v3.0.3).

Cosign didn’t mention any critical or breaking changes, so upgrading shouldn’t cause any problems.

Fix vulnerabilities

github.com/sigstore/cosign/v2 uses vulnerable (CVE-2025-66564) github.com/sigstore/timestamp-authority.
https://github.com/openvex/discovery is also affected:

➜ git:(main) ✗ govulncheck -format openvex ./... | jq '.statements[] | select(.vulnerability.name == "GO-2025-4192")'
{
  "vulnerability": {
    "@id": "https://pkg.go.dev/vuln/GO-2025-4192",
    "name": "GO-2025-4192",
    "description": "Sigstore Timestamp Authority allocates excessive memory during request parsing in github.com/sigstore/timestamp-authority",
    "aliases": [
      "CVE-2025-66564",
      "GHSA-4qg8-fj49-pxjh"
    ]
  },
  "products": [
    {
      "@id": "Unknown Product",
      "subcomponents": [
        {
          "@id": "pkg:golang/github.com%2Fsigstore%2Ftimestamp-authority@v1.2.9"
        }
      ]
    }
  ],
  "status": "affected"
}

But in github.com/sigstore/cosign/v3@v3.0.3 sigstore bumped version of github.com/sigstore/timestamp-authority (to github.com/sigstore/timestamp-authority/v2@v2.0.3) - sigstore/cosign#4532

@DmitriyLewen
chore(deps): bump github.com/sigstore/cosign/v2 to github.com/sigstor…
aaef530 
…e/cosign/v3

Signed-off-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@DmitriyLewen DmitriyLewen force-pushed the chore/deps/bump-cosign-to-v3 branch from 6829cb8 to aaef530 Compare December 11, 2025 11:10
@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 11, 2025 11:12
@knqyf263 knqyf263 mentioned this pull request Jan 7, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DmitriyLewen