Closed dependabot[bot] closed 1 year ago
We do vuln checking in https://github.com/aws/karpenter-core, and have identified gomega as blocking. Can we get this released ASAP?
govulncheck ./pkg/...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Using go1.20.1 and govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 17 Feb 23 00:31 UTC).
Scanning your code and 894 packages across 88 dependent modules for known vulnerabilities...
Your code is affected by 1 vulnerability from 1 module.
Vulnerability #1: GO-2023-1571
A maliciously crafted HTTP/2 stream could cause excessive CPU
consumption in the HPACK decoder, sufficient to cause a denial
of service from a small number of small requests.
More info: https://pkg.go.dev/vuln/GO-2023-1571
Module: golang.org/x/net
Found in: golang.org/x/net@v0.6.0
Fixed in: golang.org/x/net@v0.7.0
I just shipped v1.27.1 with this dependency bumped.
There isn't a strong SLA around security patching Ginkgo and Gomega (both of which are OSS without any major backing). I'm happy to help when possible, of course - but I'd offer that if this software has become an important component of your organization's toolchain that a corporate sponsorship could be appropriate 😉
Thanks for the fix! Above my paygrade, but will forward this message 😅 .
Above my paygrade, but will forward this message
lol, indeed. i totally get it - but a forward would be appreciated 😀
Bumps golang.org/x/net from 0.6.0 to 0.7.0.
Commits
8e2b117
http2/hpack: avoid quadratic complexity in hpack decoding547e7ed
http2: avoid referencing ResponseWrite.Write parameter after returning39940ad
html: parse comments per HTML specDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)