You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for the heads-up, It's not well documented currently (I will create a PR shortly), but dd-trace-go tries to support the lowest possible version for contrib packages so that users of dd-trace-go are able to use whatever version they desire*. It looks like you've also already identified a fix for your service using the replace directive. (And users who are not using labstack/echo are unaffected)
I'll bring this up at a team meeting tomorrow to see if there's a better way to approach this problem. If you have any thoughts feel free to re-open this issue!
*Even for versions that have vulnerabilities as there exist users of dd-trace-go who either are unable or unwilling to update these dependencies.
The module DataDog/dd-trace-go imports labstack/echo v4.2.0,
which has vulnerability. Thus force go.mod to use patched version
v4.9.0 instead, by adding `replace` directive.
Reference: DataDog/dd-trace-go#1458
See:
labstack/echo/issues/2259
Vulnerability:
sonatype-2022-5436
originated from
labstack/echo/v4@v4.2.0
Using
replace github.com/labstack/echo/v4 v4.2.0 => github.com/labstack/echo/v4 v4.9.0
for now.
The text was updated successfully, but these errors were encountered: