diff --git a/cmd/go.mod b/cmd/go.mod index e6629cd42..91dd5b19d 100644 --- a/cmd/go.mod +++ b/cmd/go.mod @@ -36,4 +36,8 @@ replace ( // Temporary fork for avoiding importing patent-protected code: https://github.com/hashicorp/golang-lru/issues/73 github.com/hashicorp/golang-lru => github.com/ktock/golang-lru v0.5.5-0.20211029085301-ec551be6f75c + + // Ensure v1.3.1+ is used to address https://github.com/advisories/GHSA-g3vv-g2j5-45f2 + // TODO: remove this replace dirctive once all dependencies are updated to point to v1.3.1+ + github.com/ipld/go-codec-dagpb => github.com/ipld/go-codec-dagpb v1.3.2 ) diff --git a/cmd/go.sum b/cmd/go.sum index 107fa7859..e0768c3d8 100644 --- a/cmd/go.sum +++ b/cmd/go.sum @@ -819,8 +819,8 @@ github.com/ipfs/iptb v1.4.0 h1:YFYTrCkLMRwk/35IMyC6+yjoQSHTEcNcefBStLJzgvo= github.com/ipfs/iptb v1.4.0/go.mod h1:1rzHpCYtNp87/+hTxG5TfCVn/yMY3dKnLn8tBiMfdmg= github.com/ipfs/iptb-plugins v0.3.0 h1:C1rpq1o5lUZtaAOkLIox5akh6ba4uk/3RwWc6ttVxw0= github.com/ipfs/iptb-plugins v0.3.0/go.mod h1:5QtOvckeIw4bY86gSH4fgh3p3gCSMn3FmIKr4gaBncA= -github.com/ipld/go-codec-dagpb v1.3.0 h1:czTcaoAuNNyIYWs6Qe01DJ+sEX7B+1Z0LcXjSatMGe8= -github.com/ipld/go-codec-dagpb v1.3.0/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= +github.com/ipld/go-codec-dagpb v1.3.2 h1:MZQUIjanHXXfDuYmtWYT8nFbqfFsZuyHClj6VDmSXr4= +github.com/ipld/go-codec-dagpb v1.3.2/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= github.com/ipld/go-ipld-prime v0.9.1-0.20210324083106-dc342a9917db/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.11.0 h1:jD/b/22R7CSL+F9xNffcexs+wO0Ji/TfwXO/TWck+70= github.com/ipld/go-ipld-prime v0.11.0/go.mod h1:+WIAkokurHmZ/KwzDOMUuoeJgaRQktHtEaLglS3ZeV8= diff --git a/ipfs/go.mod b/ipfs/go.mod index 620a3759a..12cfc75bf 100644 --- a/ipfs/go.mod +++ b/ipfs/go.mod @@ -7,9 +7,16 @@ require ( github.com/ipfs/go-cid v0.1.0 github.com/ipfs/go-ipfs-files v0.1.1 github.com/ipfs/interface-go-ipfs-core v0.6.2 + github.com/ipld/go-codec-dagpb v1.3.2 // indirect github.com/libp2p/go-libp2p-record v0.1.1 // indirect github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5 ) -// Temporary fork for avoiding importing patent-protected code: https://github.com/hashicorp/golang-lru/issues/73 -replace github.com/hashicorp/golang-lru => github.com/ktock/golang-lru v0.5.5-0.20211029085301-ec551be6f75c +replace ( + // Temporary fork for avoiding importing patent-protected code: https://github.com/hashicorp/golang-lru/issues/73 + github.com/hashicorp/golang-lru => github.com/ktock/golang-lru v0.5.5-0.20211029085301-ec551be6f75c + + // Ensure 1.3.1 or later is used to address https://github.com/advisories/GHSA-g3vv-g2j5-45f2 + // TODO: remove this replace dirctive once all dependencies are updated to point to v1.3.1+ + github.com/ipld/go-codec-dagpb => github.com/ipld/go-codec-dagpb v1.3.2 +) diff --git a/ipfs/go.sum b/ipfs/go.sum index 86efe1053..a230a908e 100644 --- a/ipfs/go.sum +++ b/ipfs/go.sum @@ -755,8 +755,8 @@ github.com/ipfs/go-verifcid v0.0.1 h1:m2HI7zIuR5TFyQ1b79Da5N9dnnCP1vcu2QqawmWlK2 github.com/ipfs/go-verifcid v0.0.1/go.mod h1:5Hrva5KBeIog4A+UpqlaIU+DEstipcJYQQZc0g37pY0= github.com/ipfs/interface-go-ipfs-core v0.6.2 h1:nnkq9zhb5O8lPzkZeynEymc83RqkTRqfYH4x5JNUkT4= github.com/ipfs/interface-go-ipfs-core v0.6.2/go.mod h1:h3NuO3wzv2KuKazt0zDF2/i8AFRqiKHusyh5DUQQdPA= -github.com/ipld/go-codec-dagpb v1.3.0 h1:czTcaoAuNNyIYWs6Qe01DJ+sEX7B+1Z0LcXjSatMGe8= -github.com/ipld/go-codec-dagpb v1.3.0/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= +github.com/ipld/go-codec-dagpb v1.3.2 h1:MZQUIjanHXXfDuYmtWYT8nFbqfFsZuyHClj6VDmSXr4= +github.com/ipld/go-codec-dagpb v1.3.2/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= github.com/ipld/go-ipld-prime v0.9.1-0.20210324083106-dc342a9917db/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.11.0 h1:jD/b/22R7CSL+F9xNffcexs+wO0Ji/TfwXO/TWck+70= github.com/ipld/go-ipld-prime v0.11.0/go.mod h1:+WIAkokurHmZ/KwzDOMUuoeJgaRQktHtEaLglS3ZeV8=