Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update gopkg.in/yaml.v3 to v3.0.1 #1337

Merged
merged 1 commit into from
Jun 13, 2022
Merged

Conversation

izhakmo
Copy link
Contributor

@izhakmo izhakmo commented Jun 6, 2022

@chkp-alexgl
Copy link

@dgsb @sirupsen can you, please, take a look? Would be great to merge this CVE fix soon. thanks!

@thaJeztah
Copy link
Collaborator

Curious; how was this PR created, because it's updating go.sum without any changes in go.mod; from what I can see the is an indirect dependency, so not immediately sure how this would relate to logrus itself; perhaps another dependency that causes it to be in the dependency tree could be updated though

@sio4
Copy link

sio4 commented Jul 19, 2022

#1344 includes this reverted change by updating testify.
I didn't check the CVE and the CVE may not affect logrus directly, but it could be better to update it.

@thaJeztah
Copy link
Collaborator

Yeah, looks like it's only used in test-code;

go mod graph | grep ' gopkg.in/yaml.v3'
github.com/stretchr/[email protected] gopkg.in/[email protected]

Which only uses it in assert.YAMLEq() (which appears unused in the codebase); https://github.com/stretchr/testify/blob/v1.7.0/assert/assertions.go#L1543-L1559

But updating testify to 1.7.2 or above (with stretchr/testify@41453c0) should update it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New CVE was discovered CVE-2022-28948
5 participants