Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SNYK-GOLANG-GOPKGINYAMLV3-2841557 #70

Open
acsauk opened this issue Jul 11, 2022 · 1 comment
Open

Fix SNYK-GOLANG-GOPKGINYAMLV3-2841557 #70

acsauk opened this issue Jul 11, 2022 · 1 comment

Comments

@acsauk
Copy link

acsauk commented Jul 11, 2022

Hey all - I'm trying to solve https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 which I'm getting via https://github.com/aws/aws-sdk-go. Usually, I'd put a PR in to bump the dependency in the tree but as it seems the link is testify which has been submodule here due to lock testify at 1.5.1 maintaining compatibility with Go <1.12 I'm not 100% on the next steps.

Does anyone with a better understanding of this package have any pointers on how to mitigate this vulnerability?
@raymondchen625
Copy link

+1 to fixing this issue (CVE-2022-28948) related to package gopkg.in/yaml.v2.
One possible solution is to use gopkg.in/yaml.v3 v3.0.1 instead in the internal package internal/testify, release a new release like this. Then bump the version in the main go.mod.

@springcomp springcomp mentioned this issue Feb 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Removed unneeded dependency over YAML v3 jmespath-community/go-jmespath
2 participants
@raymondchen625 @acsauk