grafana-12.1
github.com/openfga/openfga
Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.
Start for freeStatus
Impact
openfga v1.14.0 is the only fix version for GHSA-68m9-983m-f3v5 per the GHSA advisory (vulnerable range >= 0.1.4, <= 1.13.1).
Bumping openfga from v1.8.13 to v1.14.0 in grafana's build pipeline cascades k8s.io/apiserver to a version that internally uses sigs.k8s.io/structured-merge-diff/v6, while grafana v12.1.10.01 upstream source still imports structured-merge-diff/v4. This causes compile errors such as "does not implement UpdateResetFieldsStrategy (wrong type for method GetResetFields)" in:
grafana v12.2 upstream has migrated to structured-merge-diff/v6 and accepts openfga v1.14.0 cleanly. Upstream maintainers must implement compatibility to resolve.
Status