Open mcramer-billgo opened 3 weeks ago
I'm not sure where the config for the windows AppVeyor runner is to make the version of GO set to 1.18. The updates here appear to require 1.18 as the minimum version. I've updated all the CI yaml files to use 1.18 as a minimum but still erroring in the windows runner.
One do not change the minimum go version of a project just to fix a vulnerability in a remote dependency which is not even used in the project.
gopkg.in/yaml.v3
v3.0.0
(fixed in v3.0.1
)github.com/stretchr/testify/assert
and github.com/stretchr/testify/require
ONLY in its testsuitegithub.com/stretchr/testify/assert
uses gopkg.in/yaml.v3
only for YAMLEq
and YAMLEqf
which the logrus testsuite doesn't usegithub.com/stretchr/testify
now has a build tag that allows to stop linking with gopkg.in/yaml.v3
See stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).So this is not at all "2 high severity vulnerabilities". This PR is just FUD and completely useless.
Disclaimer: I'm one Testify co-maintainer.
Fixes sirupsen/logrus#1434