You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for pointing! There was already an discussion about that in prometheus/common#58 - circular dep is unlikely to change. I believe you should be able to pin yaml.v2 to version you want in your go mod file, is that right?
You can't pin it to a specific version because sum will always calculate the entire tree of hashes. The only way is for everyone that depends on this package to include a lot of exclude directives. The YAML package alone pulls like 8 flagged versions.
This repo pulls vulnerable dependencies. For example, yaml.v2 <2.4.0
I noticed this when a dependency of mine ended up pulling in v1.11.1, which depends on prometheus/common@v0.26.0, which depends on v1.7.1.
This circular dependency is causing a bunch of older dependencies to linger.
As far as I can tell, this is still happening right now on
main
.The text was updated successfully, but these errors were encountered: