同学，您这个项目引入了29个开源组件，存在2个漏洞，辛苦升级一下

[ghost]

检测到 mholt/acmez 一共引入了29个开源组件，存在2个漏洞

漏洞标题：go-yaml < 2.2.8拒绝服务漏洞
漏洞编号：CVE-2019-11254
漏洞描述：gopkg.in/yaml.v2是go语言中用于处理yaml格式的包。
在2.2.8之前的版本中，处理恶意的yaml数据时，会导致CPU资源耗尽。
漏洞由Kubernetes开发者在fuzz测试中发现并提交修复补丁。
国家漏洞库信息：https://www.cnvd.org.cn/flaw/show/CNVD-2020-35519
影响范围：(∞, 2.2.8)
最小修复版本：2.2.8
缺陷组件引入路径：github.com/mholt/acmez@->go.uber.org/zap@v1.15.0->github.com/stretchr/testify@v1.4.0->gopkg.in/yaml.v2@v2.2.2

另外还有2个漏洞，详细报告：https://mofeisec.com/jr?p=n6cb08

[francislavoie]

Those security warnings are false-positives. They're not relevant to this project at all. Security scanners don't into account how libraries are used, and they don't understand if there's actually a problem. And in this case, there isn't. Acmez doesn't use yaml at all, it's just a transient dependency. Zap uses testify in their unit tests, which happens to pull in yaml.v2.

Next time, please to us in English, so we don't have to use Google Translate to see what you write.

[mholt]

(I don't mind pasting into Google Translate. It's not ideal, but it's also likely that Google Translate is not easily accessible to users in some regions.)