Open CVE in timestamp-authority

[MondayHopscotch]

There is a recent vulnerability in the timestamp-authority package.

Our build caught it (we are slightly behind, but even the latest doesn't have the fix yet) :

NAME                                     INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS           RISK
github.com/sigstore/timestamp-authority  v1.2.5     2.0.3     go-module  GHSA-4qg8-fj49-pxjh  High      < 0.1% (11th)  < 0.1

https://ubuntu.com/security/CVE-2025-66564

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[imjasonh]

The version of timestamp-authority used by ko is v2.0.3

https://github.com/ko-build/ko/blob/v0.18.1/go.mod#L142

I'm not sure why scanners are finding that this depends on v1 but it's a false positive.