From 5b79714b8e6833f83375b5c7f1f098171166d9b4 Mon Sep 17 00:00:00 2001 From: NuVivo314 Date: Wed, 3 Jan 2024 10:40:10 +0100 Subject: [PATCH] Update transitive markdown parser dependency (#12) Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to validate [the CVE] it notes that: ``` Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities... === Informational === Found 1 vulnerability in packages that you import, but there are no call stacks leading to the use of this vulnerability. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2023-2074 Parser out-of-bounds read vulnerability caused by a malformed markdown input More info: https://pkg.go.dev/vuln/GO-2023-2074 Module: github.com/gomarkdown/markdown Found in: github.com/gomarkdown/markdown@v0.0.0-20230716120725-531d2d74bc12 Fixed in: github.com/gomarkdown/markdown@v0.0.0-20230922105210-14b16010c2ee No vulnerabilities found. Share feedback at https://go.dev/s/govulncheck-feedback. ``` This means that for most users of this package, they are unaffected, but to make sure that we keep this package CVE free, we can update the transitive dependency. We cannot update Iris, which pulls in this dependency, due to it now requiring Go 1.21, and we do not want to require Go 1.21 for consumers. Co-authored-by: Paul Imbert <9633306-pimbert@users.noreply.gitlab.com> Co-authored-by: Jamie Tanna [the CVE]: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-5916451 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 262fb79..0605d97 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/go-playground/validator/v10 v10.14.1 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/gomarkdown/markdown v0.0.0-20230716120725-531d2d74bc12 // indirect + github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect github.com/gorilla/css v1.0.0 // indirect github.com/iris-contrib/schema v0.0.6 // indirect github.com/josharian/intern v1.0.0 // indirect diff --git a/go.sum b/go.sum index 36b2826..bea0b26 100644 --- a/go.sum +++ b/go.sum @@ -56,8 +56,8 @@ github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MG github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/gomarkdown/markdown v0.0.0-20230716120725-531d2d74bc12 h1:uK3X/2mt4tbSGoHvbLBHUny7CKiuwUip3MArtukol4E= -github.com/gomarkdown/markdown v0.0.0-20230716120725-531d2d74bc12/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= +github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 h1:EcQR3gusLHN46TAD+G+EbaaqJArt5vHhNpXAa12PQf4= +github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=