https://flyte.org logo
#contribute
Title
# contribute
e

Ethan Brown

03/22/2024, 4:43 PM
Quick heads up that I just up https://github.com/flyteorg/flyte/pull/5097 as a proposal / to discuss how to determine which Go version to use. Right now builds are pinned to 1.21.5, but I think they should float against 1.21. The tl; dr is that I didn't fully triage the list of things I was given from the auditors to see how applicable the various vulns are... BUT... I thought it was some low-hanging fruit to at least use latest Z release of Go to build things and knock a number of vulns off the list.
Maybe you've already got plans for renovate / dependabot ... or it just needs to be configured to update Dockerfiles -- I didn't really look. But this seemed like a reasonable short-term solution for now
Semi-related to vulns ... the PR to flyteconsole is still open at https://github.com/flyteorg/flyteconsole/pull/834 The base container image being used for console is still ancient / unmaintained. Should be using
<http://gcr.io/distroless/nodejs18-debian12|gcr.io/distroless/nodejs18-debian12>
rather than
<http://gcr.io/distroless/nodejs|gcr.io/distroless/nodejs>
For a frontend image, it shouldn't really matter too much. It's mostly a compliance / auditing issue.