Potential release timeline to patch vulnerability on gopkg.in/square/go-jose.v2-v2.6.0

[Kieran-Muller]

Hi folks!

Just wanted to reach out to get a rough ballpark estimate on the next release of quay/clair?
Noticed v4.7.4 has a vulnerability on gopkg.in/square/go-jose.v2-v2.6.0 which one of our tools has caught on CI. Due to various processes, we've raised a risk and given ourselves a timeline to resolve/mitigate.

Unfortunately due to the way we consume clair and the module moving location, a simple replace on the module does not work. However, I noticed the current go.mod contains a patched, non-vulnerable version!

I'm in no way putting the pressure on! Just thought I'd throw out an ask so we can handle our risk appropriately!

Look forward to hearing from you, thanks.

[Kieran-Muller]

Release 4.8.0 just dropped which contains the patched module. Closing.