Hi there, I want to know the plan for TiDB dependencies and base image upgrade.
Because during I choosing TiDB version, I use Anchore scan the images, there are version issues in latest v8.1.0 or v6.5.10, including
- upgrade Golang version
- upgarde Go module
- upgrade RPM package version
For example, in the latest TiDB v8.1.0 (docker.io/pingcap/tidb:v8.1.0), the report indicated:
- Go version needs an upgrade - CVE-2024-24790 + stdlib-go1.21.10
- RPM package in Base Image needs an upgrade - CVE-2024-2961 + glibc-common
- Issues about RPM or module which need to be upgraded
Also in latest TiDB-Operator v1.6.0 which responsive to TiDB v8.x
- Go version needs an upgrade - CVE-2024-24790+stdlib-go1.21.10
- Go module needs an upgrade - GHSA-45x7-px36-x8w8+golang.org/x/crypto-v0.16.0
- Issues about RPM or module which need to be upgraded
I also checked the latest images for lower LTS versions, like v6.5.10, and issues about version upgrade still exist there as well.
So, I would like to know if TiDB has any plans to upgrade the Golang module and the base image to the latest versions in future LTS version patches?
Thanks!