Skip to content

[release-v0.37.x] bump github.com/tektoncd/hub from 1.17.0 to 1.17.3#3032

Merged
tekton-robot merged 1 commit into
release-v0.37.xfrom
dependabot/go_modules/release-v0.37.x/github.com/tektoncd/hub-1.17.3
Jul 15, 2026
Merged

[release-v0.37.x] bump github.com/tektoncd/hub from 1.17.0 to 1.17.3#3032
tekton-robot merged 1 commit into
release-v0.37.xfrom
dependabot/go_modules/release-v0.37.x/github.com/tektoncd/hub-1.17.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/tektoncd/hub from 1.17.0 to 1.17.3.

Release notes

Sourced from github.com/tektoncd/hub's releases.

v1.17.2

Hub v1.17.2 🎉

This patch fixes several critical and high-severity CVEs in the UI and Swagger components. It includes updates to multiple transitive dependencies to improve overall security and stability.

🔒 CVEs Fixed


CVE-2025-9287⚠️ Critical

CVE-2025-7783⚠️ Critical

CVE-2025-6545⚠️ Critical

CVE-2025-9288⚠️ Critical

CVE-2025-6547⚠️ Critical

CVE-2025-66031⚠️ Critical

CVE-2025-12816 — 🔥 High

CVE-2025-64756 — 🔥 High

CVE-2025-58754 — 🔥 High

CVE-2024-21538 — 🔥 High

CVE-2024-52798 — 🔥 High

CVE-2025-59343 — 🔥 High

CVE-2024-21536 — 🔥 High

Full Changelog: tektoncd/hub@v1.17.1...v1.17.2

v1.17.1

Full Changelog: tektoncd/hub@v1.17.0...v1.17.1

Commits
  • 9c2ee43 Fix to mock both Date and Date.mow()
  • 2a07a76 Update UI and Swagger vulnerable dependencies to fix the CVE
  • 8c96655 Fix few critical and major CVEs in UI and Swagger components
  • 6da0229 Bump github.com/golang-jwt/jwt to github.com/golang-jwt/jwt/v4
  • c4449d3 Bump golang and alpine image in dockerfile
  • 6bc0907 Bump github.com/tektoncd/pipeline to version v0.59.5
  • e5482e8 Bump github.com/go-jose/go-jose/v4 to v.0.5
  • 2ad0ba0 Bump golang.org/x/oauth2 to fix Vulnerability GO-2025-3488
  • b59faec Bump golang.org/x/crypto to latest
  • 901fb1e Update UI vulnerable packages
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/tektoncd/hub](https://github.com/tektoncd/hub) from 1.17.0 to 1.17.3.
- [Release notes](https://github.com/tektoncd/hub/releases)
- [Commits](tektoncd/hub@v1.17.0...v1.17.3)

---
updated-dependencies:
- dependency-name: github.com/tektoncd/hub
  dependency-version: 1.17.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. labels Jul 14, 2026
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 14, 2026

@divyansh42 divyansh42 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: divyansh42

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 15, 2026
@tekton-robot
tekton-robot merged commit 8ac73bf into release-v0.37.x Jul 15, 2026
18 of 20 checks passed
@dependabot
dependabot Bot deleted the dependabot/go_modules/release-v0.37.x/github.com/tektoncd/hub-1.17.3 branch July 15, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants