Vulnerability for dd trace v1.40.1, update labstack/echo to v4.9.0 #1458

Nitjsefni7 · 2022-09-06T10:15:32Z

Vulnerability:
sonatype-2022-5436

originated from labstack/echo/v4@v4.2.0

Using
replace github.com/labstack/echo/v4 v4.2.0 => github.com/labstack/echo/v4 v4.9.0
for now.

The text was updated successfully, but these errors were encountered:

ajgajg1134 · 2022-09-06T14:18:57Z

Thanks for the heads-up, It's not well documented currently (I will create a PR shortly), but dd-trace-go tries to support the lowest possible version for contrib packages so that users of dd-trace-go are able to use whatever version they desire*. It looks like you've also already identified a fix for your service using the replace directive. (And users who are not using labstack/echo are unaffected)

I'll bring this up at a team meeting tomorrow to see if there's a better way to approach this problem. If you have any thoughts feel free to re-open this issue!

*Even for versions that have vulnerabilities as there exist users of dd-trace-go who either are unable or unwilling to update these dependencies.

The module DataDog/dd-trace-go imports labstack/echo v4.2.0, which has vulnerability. Thus force go.mod to use patched version v4.9.0 instead, by adding `replace` directive. Reference: DataDog/dd-trace-go#1458

ajgajg1134 closed this as completed Sep 6, 2022

2dvorak mentioned this issue Nov 11, 2022

Upgrade labstack echo klaytn/klaytn#1688

Closed

9 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability for dd trace v1.40.1, update labstack/echo to v4.9.0 #1458

Vulnerability for dd trace v1.40.1, update labstack/echo to v4.9.0 #1458

Nitjsefni7 commented Sep 6, 2022

ajgajg1134 commented Sep 6, 2022

Vulnerability for dd trace v1.40.1, update labstack/echo to v4.9.0 #1458

Vulnerability for dd trace v1.40.1, update labstack/echo to v4.9.0 #1458

Comments

Nitjsefni7 commented Sep 6, 2022

ajgajg1134 commented Sep 6, 2022