fix(deps): BDSA-2026-1849 cosign transient dependency pinning

[matthiasbruns]

What this PR does / why we need it

BlackDuck found a CVE in mongodb/mongo-go-driver@v1.17.6 which is used in cosign@v3.0.5

I already created a PR in upstream sigstore/cosign#4764

Changelog

https://github.com/mongodb/mongo-go-driver/releases/tag/v1.17.9
🐛 Fixed
GODRIVER-3793 Fix variable shadowing in rtt monitor in mongodb/mongo-go-driver#2317

https://github.com/mongodb/mongo-go-driver/releases/tag/v1.17.8
✨ New Features
GODRIVER-3773 Deprecate v1 in mongodb/mongo-go-driver#2312

https://github.com/mongodb/mongo-go-driver/releases/tag/v1.17.7
🐛 Fixed
GODRIVER-3770 Fix buffer handling in GSSAPI error description and username functions in mongodb/mongo-go-driver#2291
📝 Other Changes
Add more visible deprecation banner to the 1.17 readme in mongodb/mongo-go-driver#2233
GODRIVER-3770 Remove libasan from gssapi tests in CI n mongodb/mongo-go-driver#2293
GODRIVER-3766 Remove deprecation notice for MergeClientOptions in mongodb/mongo-go-driver#2294

[frewilhelm]

Doesn't 1.17.6 contain the vulnerability? We need to upgrade do we?

[frewilhelm]

Additionally, we might not be affected by this vulnerability as its affecting CGO bindings for GSSAPI

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS.

[matthiasbruns]

maybe we wait for the upstream pr merge

[frewilhelm]

You can also check the changelog of go.mongodb.org/mongo-driver from 1.17.6 to 1.17.9. If there are no breaking changes, it could be fine to pin it to 1.17.9.

We just need to make sure that (a) it works and (b) we will remove the pin if upstream catched up

[jakobmoellerdev]

when do we ever use this driver? this looks like dead code. there is no mongo ever used right?

[matthiasbruns]

let's wait for upstream to provide a fix - I think I was a bit over ambitious