New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The current version has a security vulnerability #3155
Comments
Hi I'm also looking for a solution for this problem as well. For now what should we do? |
I have researched, but no really found a way to just use the master branch in GO. Would be cool if the maintainers of this project would just do minor or patch releases every week. This is really concerning. |
Hey @thinkerou since you are a maintainer of gin-gonic, can you please comment on this? |
@MCWertGaming please see #3160
|
@thinkerou thank you really much for looking into this. I have just seen that the master is using go-yaml.v2 but has it as a dependency. Any idea if the unit test broke because of a problem in V3 of the module? Or is it possible that the usage changed? If no one is already looking into looking into a fix, I could check on that. |
GHSA-hp87-p4gw-j4gq |
@thinkerou on which PR did you fix this? Can you please link? I think the fix is not in v1.8.0. I still see both yaml.v2 v2.4.0 and yaml.v3 v3.0.0 |
True, the current master uses V2 https://github.com/gin-gonic/gin/blob/master/go.mod#L16. |
@hakandilek @MCWertGaming Please help to review the #3164 PR. I will bump v1.8.1 after merging. |
Yaml v2 version can't reproduce the issue. See the comment go-yaml/yaml#666 (comment) |
I will close the issue. Please feel free to reopen the issue if any further problems. |
Hey @appleboy shouldn't we upgrade to V3 nevertheless? I mean when V3 is vulnerable, it's probably just a matter of time until V2 shows first vulnerabilities as well. Also i'm not sure if it makes sense to use 2 versions of the same dependency in parallel. |
Description
Hi! I just go a security warning by Github because a dependency used by this project is marked as vulnerable. It can be found here GHSA-hp87-p4gw-j4gq. The package is
gopkg.in/yaml.v3
which is resolved in the current master, but the latest release (1.7.7) is over a year old and does not contain this fix.It would be nice if you guys would create a new version of this module.
The text was updated successfully, but these errors were encountered: