[BUG] v1.5.2 checksum mismatch

gorilla / websocket

Package gorilla/websocket is a fast, well-tested and widely used WebSocket implementation for Go.

https://gorilla.github.io

BSD 2-Clause "Simplified" License

22k stars 3.46k forks source link

[BUG] v1.5.2 checksum mismatch #927

Closed ghost closed 2 months ago

ghost commented 2 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

The module checksum for v1.5.2 in this repository does not match the checksum recorded in Go's checksum database.

Expected Behavior

No checksum mismatch.

Steps To Reproduce

Run the following commands to observe the security error:

mkdir fail
cd fail
go mod init fail.com
go clean --modcache
GOPROXY=direct go get github.com/gorilla/websocket@v1.5.2

Anything else?

https://go.dev/ref/mod#authenticating

FZambia commented 2 months ago

I can't believe I observe this happening with the project I love...

Dear maintainers, never remove tags. It's the second time you do this.

jaitaiwan commented 2 months ago

Thanks for bringing this to my attention, I’ll discuss with the other maintainers.

AlexVulaj commented 2 months ago

Thanks for pointing this out - coincidentally we just cut release https://github.com/gorilla/websocket/releases/tag/v1.5.3 which should be stable.

houseme commented 2 months ago

It is recommended to add time to the pre-release version and retain it. If you delete the version directly, it will cause the go getoperation to fail.

FZambia commented 2 months ago

Consider retracting v1.5.2 - https://go.dev/ref/mod#go-mod-file-retract