Update consul package as the one referenced in terraform is quite old

[gvnc]

Terraform Version

1.11.4

Use Cases

The consul package referenced in go.mod is v1.13.0 which is a quite old package and security scanners report vulnerabilities on it.
https://github.com/hashicorp/terraform/blob/main/go.mod#L182

Vulnerabilities:

• https://nvd.nist.gov/vuln/detail/CVE-2021-41803
• https://nvd.nist.gov/vuln/detail/CVE-2024-10006
• https://nvd.nist.gov/vuln/detail/CVE-2024-10005

I reported it to hashicorp security team and they replied back as below.
Terraform includes the github.com/hashicorp/consul/api module in order to support the Consul remote state backend. Terraform only uses client libraries and does not run a Consul server, therefore it is not impacted by Consul server vulnerabilities such as the ones listed above.
Still, security scanners highlight the vulnerabilities. Could you please update the consul package as the latest one is v1.32.1 ?

Attempted Solutions

NA

Proposal

Could you please update the consul package as the latest one is v1.32.1 ?

References

No response

[crw]

Thanks for this report. Codeowners currently reports this backend as "unmaintained," per https://github.com/hashicorp/terraform/blob/main/CODEOWNERS#L17C1-L17C62 -- I would imagine this will dependency will eventually be removed if and when the backend is deprecated. Thanks again!

[jbardin]

Closed via #37150

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.