Snyk vulnerability due to mongo-driver -> packr dependency

[padamstx]

Users of go-openapi/strfmt have started to see security vulnerabilities related to the github.com/gobuffalo/packr/v2 module. go-openapi/strfmt defines go.mongodb.org/mongo-driver as a dependency, which in turn defines github.com/gobuffalo/packr/v2 as a dependency. Link to Snyk: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670

Opening this issue since a new version of mongo-driver will require at least a small change to strfmt to use the new version.

Is there anything that can be done within the strfmt module itself to alleviate this?

[padamstx]

FYI... I've opened this JIRA with the mongo-driver project: https://jira.mongodb.org/browse/GODRIVER-2233

[padamstx]

Update: the mongo-go-driver team plans to deliver a new release (1.8.0) of their package next week which should remove entirely their dependency on the "packr/v2" module. At that time, I can submit a PR that bumps the mongo-go-driver dependency to that new version and that should address the vulnerability.

[padamstx]

The mongo-driver team delivered a change in version 1.7.5 that completely removes the packr/v2 dependency (plus others). I've opened this PR to modify the strfmt project to use this new mongo-driver version: https://github.com/go-openapi/strfmt/pull/93