Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yaml.v2 version bump to fix CVE-2019-11254 #936

Merged
merged 1 commit into from May 18, 2021
Merged

yaml.v2 version bump to fix CVE-2019-11254 #936

merged 1 commit into from May 18, 2021

Conversation

jimmystewpot
Copy link
Contributor

Hello,

The included version of gopkg.in/yaml.v2 (v2.2.2) has a reported vulnerability of CVE-2019-11254. To resolve the vulnerability the version has been upgraded to v2.2.8.

The testify libraries have also been bumped from 1.4.0 to 1.7.0 to avoid the same vulnerability.

As per the contributors document the make test and make lint targets have both successfully completed on Go version 1.13. The tests will fail on Go 1.16 due to the following bug bug.

@codecov
Copy link

codecov bot commented Apr 16, 2021
edited

Codecov Report

Merging #936 (65cac8f) into master (c23abee) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #936   +/-   ##
=======================================
  Coverage   98.27%   98.27%           
=======================================
  Files          44       44           
  Lines        1974     1974           
=======================================
  Hits         1940     1940           
  Misses         27       27           
  Partials        7        7

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c23abee...65cac8f. Read the comment docs.

@jimmystewpot
Copy link
Contributor Author

Is there something missing from this PR which is blocking a review?

abhinav
abhinav approved these changes May 18, 2021
View reviewed changes
Copy link
Collaborator

@abhinav abhinav left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the delay. This looks fine. Thanks!

@abhinav abhinav merged commit 8b883c6 into uber-go:master May 18, 2021
abhinav pushed a commit that referenced this pull request May 25, 2021
@jimmystewpot @abhinav
Update dependencies to fix vulnerabilities in (#936)
34ea13c 
- gopkg.in/yaml.v2 v2.2.2 -> v.2.2.8 CVE-2019-11254
@jimmystewpot jimmystewpot mentioned this pull request Aug 13, 2021
Merged
@alex1989hu alex1989hu mentioned this pull request Feb 14, 2022
Merged
@github-actions github-actions bot mentioned this pull request Apr 10, 2022
Closed
@github-actions github-actions bot mentioned this pull request Apr 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhinav abhinav abhinav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jimmystewpot @abhinav