search

fergusstrange / embedded-postgres

Run a real Postgres database locally on Linux, OSX or Windows as part of another Go application or test
MIT License
819 stars 85 forks source link

CVE-2020-16845 still occurs on dependant products #47

Closed mishas closed 2 years ago

mishas commented 2 years ago

Hello @naveensrinivasan and @fergusstrange ,

I just updated embedded-postgres to v1.11.0, and I still get the github.com/ulikunitz/xz@v0.5.6 dependency in my go.sum (after go mod tidy).

I think the reason for this is, that in #42 , you've used a replace directive, that only does something local, instead of a require (// indirect) directive that would affect projects depending on yours. From https://golang.org/ref/mod#go-mod-file-replace:

replace directives only apply in the main module’s go.mod file and are ignored in other modules. See Minimal version selection for details.

I think the following fix will do the trick:

- replace github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
+ require github.com/ulikunitz/xz v0.5.10 // indirect

(Please also note, that there's no reason to use v0.5.8 when v0.5.10 is available)

fergusstrange commented 2 years ago

Ah good spot, this one slipped me by. I'll take a look at getting that PR in over this weekend.

fergusstrange commented 2 years ago

Hey @mishas this is now merged in and appears to be working well on a number of my own projects. I have released at v1.11.0 if you wanted to give it a try!

Thanks for all the feedback and patience, this was probably the longest running PR we've had!

mishas commented 2 years ago

Thank you very much! Appreciate it!