Closed francogeller closed 1 year ago
peterbourgon
commented
1 year ago For the record, version bumps like this aren't necessary in intermediary Go projects like Go kit, because the version is determined by the downstream consumer. I'm happy to merge simple PRs like this one, but there is no security issue here, really.
francogeller
commented
1 year ago Hello, thank you very much for considering the PR. Particularly in our projects, the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns. Maybe this will help others to comply with their security policies, if they have them. But I agree with you that it is not a security vulnerability, instead we can take it as an improvement with integrations.
peterbourgon
commented
1 year ago the change would be convenient because the applications we have that search for code vulnerabilities mark kit as a vulnerable dependency because it has a transitive dependency with a vulnerable version of dns.
Any tool which does this is incorrect 🤷
ChrisHines
commented
1 year ago It's also worth noting that changes like this don't propagate to a wide audience until Go kit tags a new release. Someone would have to run go get github.com/go-kit/kit/...@master or something similar. The ...@latest version will continue to get the newest tagged release, as will a basic go get when adding Go kit to a go.mod for the first time.
This PR update github.com/hashicorp/serf and github.com/hashicorp/consul/api in order to fully deprecate github.com/miekg/dns@v1.0.14 due to CVE-2019-19794 security vuln. Issue #1249