Merge pull request #307229 from katexochen/agebox/fix-vuln

agebox: update vulnerable dependency
2024-09-29 07:32:58 +00:00 · 2024-04-27 19:01:02 +02:00 · 2024-04-27 19:01:02 +02:00 · 36134ff401
commit 36134ff401
parent e9f304f924 8f5c4cf5eb
1 changed files with 11 additions and 2 deletions
--- a/pkgs/tools/security/agebox/default.nix
+++ b/pkgs/tools/security/agebox/default.nix
@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, fetchpatch }:

 buildGoModule rec {
  pname = "agebox";
@ -11,7 +11,16 @@ buildGoModule rec {
    hash = "sha256-W6/v5BIl+k6tMan/Wdua7mHKMsq23QZN13Cy24akJr4=";
  };

-  vendorHash = "sha256-PLeNTlQ0OMcupfbVN/KGb0iJYf3Jbcevg8gTcKHpn8s=";
+  patches = [
+    # Update gopkg.in/yaml.v2 to v2.2.8 to fix vulnerabilities.
+    # https://github.com/slok/agebox/pull/199
+    (fetchpatch {
+      url = "https://github.com/slok/agebox/commit/40a515d39911f601ebe05cc914e8a02695d85dc7.patch";
+      hash = "sha256-0iBI0nID12OoWqWY/8MPb3vvTUDe0JdSHu2vefix/bM=";
+    })
+  ];
+
+  vendorHash = "sha256-MNAF2ExIOYPzXyGR6H7lfUEhnMDCyD7ecst5MKm7u+A=";

  ldflags = [
    "-s"