search

mitchellh / cli

A Go library for implementing command-line interfaces.
Mozilla Public License 2.0
1.73k stars 123 forks source link

deps: bump Masterminds/sprig to v3 (go.mod enabled version) #87

Closed radeksimko closed 2 years ago

radeksimko commented 3 years ago

As can be seen from the go.mod diff, this bumps sprig to latest v3, which is go.mod-enabled.

This reduces the noise in go.mod which no longer has to track transitive dependencies.

Despite the major version bump, according to the changelog v2 -> v3 changes seem fairly minimal and don't affect Go API at all. It is worth calling out this update in cli's changelog though as behaviour changes may affect downstream consumers.

egonbraun commented 3 years ago

This also fixes the following security issue:

✗ Medium severity vulnerability found in github.com/Masterminds/goutils
  Description: Insecure Randomness
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSGOUTILS-1296313
  Introduced through: github.com/mitchellh/cli@1.1.2
  From: github.com/mitchellh/cli@1.1.2 > github.com/Masterminds/sprig@2.22.0 > github.com/Masterminds/goutils@1.1.0
  Fixed in: 1.1.1

Is @mitchellh the only one that can approve your PR? I am getting the feeling I cannot rely on this project anymore since your PR was opened months ago. :/

Anyway, thanks for the PR and I hope it gets merged soon.