Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1 to remove indirect dependacy of btcd module which is vulnerable to CVE-2022-44797

[bsalunke]

Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1 to remove indirect dependacy of btcd module which is vulnerable to CVE-2022-44797

What is it fixing
Nerdctl has an indirect dependency module ("github.com/btcsuite/btcd v0.21.0-beta) having vulnerability reported https://nvd.nist.gov/vuln/detail/CVE-2022-44797.

As explained by @AkihiroSuda, it's false positive and nerdctl does not trigger the code path in any way to invoke "btcd" module. The fix provided was VEX set to eliminate #1571

However APIK some of the open source scanner does not support VEX as of today. e.g. aquasecurity/trivy#1836.

Fix
Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1

Please let me know if more information needs to be added.

[djdongjin]

Hi @bsalunke please sign your commit

[bsalunke]

Thanks @djdongjin. Created another PR with sign: #1626.

Closing this as not required.

[djdongjin]

just fyi, you can also git commit --amend -s (and git push -f) to sign an existing commit.