Closed vmatyus closed 4 months ago
Reported the issue to github.com/stretchr/objx
: https://github.com/stretchr/objx/issues/146
v1.8.4 does not have this vulnerability: https://github.com/stretchr/testify/blob/f97607b89807936ac4ff96748d766cf4b9711f78/go.mod#L9
It is not a problem if vulnerable modules appear in your graph. The vulnerable yaml module will not be built into any of your binaries using testify >= 1.8.4.
I could not really differentiate what is compiled into the binaries and what is not.
The go.mod
and go.sum
file contains packages that needed for production and test environment.
This way I would like to ask from you to integrate this solution: https://github.com/stretchr/objx/issues/146#event-11963534527 - after it reaches the publish.
Github Advisor reported a vulnerable package:
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
Here is the CVE report.One of my application uses
testify
package as dependency, in the current setup my application is vulnerable, this is why I am asking from you to correct this vulnerability.I checked the dependency usage in the following way:
From the above dependency tree can be seen that the vulnerable package is pulled in through
github.com/stretchr/objx@v0.5.0
.I would like to ask from you to correct this package vulnerability.