search

hashicorp / go-changelog

Changelog generation based on files in a directory.
Mozilla Public License 2.0
107 stars 20 forks source link

Update github.com/elazarl/goproxy for security vulnerability #34

Open lantoli opened 3 months ago

lantoli commented 3 months ago

Hi, we're using this Go package in MongoDB from: https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/tools/check-changelog-entry-file/main.go

We've detected a vulnerability in a dependency. Would it be possible if you update it?

Also can you please evaluate to do Github releases for this package?

More info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247

Dependency chain from our script:

go mod why  github.com/elazarl/goproxy 

# github.com/elazarl/goproxy
github.com/mongodb/terraform-provider-mongodbatlas/tools/check-changelog-entry-file
github.com/hashicorp/go-changelog
github.com/go-git/go-git/v5
github.com/go-git/go-git/v5/plumbing/transport/client
github.com/go-git/go-git/v5/plumbing/transport/http
github.com/go-git/go-git/v5/plumbing/transport/http.test
github.com/elazarl/goproxy

Thanks a lot

hanshasselberg commented 1 month ago

Hello @lantoli,

thanks for reporting. It is not clear to me how to fix this, I don't know which version of goproxy contains a fix for this.

lantoli commented 4 weeks ago

thanks @hanshasselberg , the issue was fixed in https://github.com/elazarl/goproxy/pull/507 but it looks like they don't do releases, so you can take the latest commit in master as the version to use.

also in the link above with Snyk: 

A fix was pushed into the master branch but not yet published.