Vulnerabilities in 1Password CLI Docker image (v2.30.3) – Request for fix timeline
Hello 1Password team,
We are using the official 1password/op:2.30.3 Docker image in a SOC 2–compliant environment, and a recent security scan flagged multiple fixable vulnerabilities in the image, particularly in the 1Password CLI binary and its dependencies.
Vulnerable components (all marked as fixable by our scanner):
- golang.org/x/crypto v0.27.0 → 1 Critical, 1 High
- stdlib v1.22.7 → 1 Critical, 3 Medium (likely from Go compiler)
- golang.org/x/net v0.29.0 → 3 Medium
- github.com/go-jose/go-jose/v4 v4.0.2 → 1 Medium
- debian/openssl / debian/glibc / gnutls28 / libtasn1-6 / perl → Multiple Medium
- debian/gcc-12 → 2 Low (we acknowledge these are non-fixable for now)
Given that all the vulnerabilities above (except gcc-12) are marked as fixable, we would like to ask:
- Will these vulnerabilities be addressed in the next release of 1Password CLI and its official Docker image?
- Is there an estimated release date for the next version?
- (Optional) If some of these CVEs are considered not applicable due to usage context, could you provide clarifications for audit purposes?
We greatly appreciate your help. Please let us know if there is a more up-to-date version we should use instead of 1password/op:2.30.3.
Best regards,
