CVE Vulnerabilities in client-go, crypto, and protobuf plugins

[sharkymcdongles]

/helm-diff/diff/bin/diff (gobinary)
======================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

+--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
|         LIBRARY          | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION            |                 TITLE                 |
+--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121    | HIGH     | v1.3.1                             | v1.3.2                             | gogo/protobuf:                        |
|                          |                  |          |                                    |                                    | plugin/unmarshal/unmarshal.go         |
|                          |                  |          |                                    |                                    | lacks certain index validation        |
|                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2021-3121  |
+--------------------------+------------------+          +------------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto      | CVE-2020-29652   |          | v0.0.0-20200220183623-bac4c82f6975 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
|                          |                  |          |                                    |                                    | authentication request can            |
|                          |                  |          |                                    |                                    | lead to nil pointer dereference       |
|                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
+--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| k8s.io/client-go         | CVE-2020-8565    | MEDIUM   | v0.18.6                            | v0.20.0-alpha.2                    | kubernetes: Incomplete fix            |
|                          |                  |          |                                    |                                    | for CVE-2019-11250 allows for         |
|                          |                  |          |                                    |                                    | token leak in logs when...            |
|                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-8565  |
+--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+

[mumoshu]

client-go has been upgraded to 0.21.0 gogo/protobuf hs been upgraded to 1.3.2 via #333. golang.org/x/crypto seems to be at golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e before that. All that said I believe this is now resolved.

Thanks for reporting!