lance6716
commented
2 years ago Hi, do you have time to submit a PR 😄
Closed mrb113 closed 2 years ago
lance6716
commented
2 years ago Hi, do you have time to submit a PR 😄
mrb113
commented
2 years ago I don't have a development environment set up for this project - filing an issue because we use it as a dependency.
mrb113
commented
2 years ago thanks for addressing this! looking forward to the release w/ the fix
lance6716
commented
2 years ago thanks for addressing this! looking forward to the release w/ the fix
PTAL @atercattus
atercattus
commented
2 years ago Hello.
As I see we still use the wrong yaml.v3 version:
$ go mod graph | grep yaml.v3@v3.0.0
github.com/stretchr/testify@v1.7.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c
$ go mod graph | grep github.com/stretchr/testify@v1.7.1
github.com/stretchr/objx@v0.4.0 github.com/stretchr/testify@v1.7.1And objx uses wrong yaml.v3 in the latest version.
And the latest testify uses wrong objx.
And as I see you know about this https://github.com/stretchr/objx/pull/121 :)
We need to update objx too to fix this vulnerability...
1.7.1 has a vulnerable dependency yaml.v3 that's fixed in 1.8.0. Anyone using go-mysql who's running security tooling is getting warnings about the following: Security bug: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
To resolve, you should be able to do:
go get github.com/stretchr/testifygo mod tidyI don't see any breaking changes between the 1.7.1 and 1.8.0 versions