The current version has a security vulnerability

[MCWertGaming]

Description

Hi! I just go a security warning by Github because a dependency used by this project is marked as vulnerable. It can be found here GHSA-hp87-p4gw-j4gq. The package is gopkg.in/yaml.v3 which is resolved in the current master, but the latest release (1.7.7) is over a year old and does not contain this fix.

It would be nice if you guys would create a new version of this module.

[sampalm]

Hi I'm also looking for a solution for this problem as well. For now what should we do?

[MCWertGaming]

I have researched, but no really found a way to just use the master branch in GO. Would be cool if the maintainers of this project would just do minor or patch releases every week. This is really concerning.

[MCWertGaming]

Hey @thinkerou since you are a maintainer of gin-gonic, can you please comment on this?

[thinkerou]

@MCWertGaming please see #3160
when we use go-yaml v3, the unit test exception:

=== RUN   TestRenderYAML
    render_test.go:240:
        	Error Trace:	render_test.go:240
        	Error:      	Not equal:
        	            	expected: "\"\\na : Easy!\\nb:\\n\\tc: 2\\n\\td: [3, 4]\\n\\t\"\n"
        	            	actual  : "|4-\n    a : Easy!\n    b:\n    \tc: 2\n    \td: [3, 4]\n    \t\n"

        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,2 +1,7 @@
        	            	-"\na : Easy!\nb:\n\tc: 2\n\td: [3, 4]\n\t"
        	            	+|4-
        	            	+    a : Easy!
        	            	+    b:
        	            	+    	c: 2
        	            	+    	d: [3, 4]
        	            	+

        	Test:       	TestRenderYAML

[MCWertGaming]

@thinkerou thank you really much for looking into this. I have just seen that the master is using go-yaml.v2 but has it as a dependency. Any idea if the unit test broke because of a problem in V3 of the module? Or is it possible that the usage changed?

If no one is already looking into looking into a fix, I could check on that.

[thinkerou]

GHSA-hp87-p4gw-j4gq
I have fixed, please check!
please commit pr, thanks!

[hakandilek]

@thinkerou on which PR did you fix this? Can you please link?

I think the fix is not in v1.8.0. I still see both yaml.v2 v2.4.0 and yaml.v3 v3.0.0

[MCWertGaming]

True, the current master uses V2 https://github.com/gin-gonic/gin/blob/master/go.mod#L16.

[appleboy]

See v1.8.0 https://github.com/gin-gonic/gin/releases/tag/v1.8.0

[appleboy]

@hakandilek @MCWertGaming Please help to review the #3164 PR. I will bump v1.8.1 after merging.

[appleboy]

Yaml v2 version can't reproduce the issue. See the comment go-yaml/yaml#666 (comment)

[appleboy]

I will close the issue. Please feel free to reopen the issue if any further problems.

[MCWertGaming]

Hey @appleboy shouldn't we upgrade to V3 nevertheless? I mean when V3 is vulnerable, it's probably just a matter of time until V2 shows first vulnerabilities as well. Also i'm not sure if it makes sense to use 2 versions of the same dependency in parallel.