Closed francogeller closed 1 year ago
For the record, version bumps like this aren't necessary in intermediary Go projects like Go kit, because the version is determined by the downstream consumer. I'm happy to merge simple PRs like this one, but there is no security issue here, really.
Hello, thank you very much for considering the PR. Particularly in our projects, the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns. Maybe this will help others to comply with their security policies, if they have them. But I agree with you that it is not a security vulnerability, instead we can take it as an improvement with integrations.
the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.
Any tool which does this is incorrect 🤷
It's also worth noting that changes like this don't propagate to a wide audience until Go kit tags a new release. Someone would have to run go get github.com/go-kit/kit/...@master
or something similar. The ...@latest
version will continue to get the newest tagged release, as will a basic go get
when adding Go kit to a go.mod for the first time.
This PR update github.com/hashicorp/serf and github.com/hashicorp/consul/api in order to fully deprecate github.com/miekg/dns@v1.0.14 due to CVE-2019-19794 security vuln. Issue #1249