suharshs
commented
2 years ago Apologies I misread our security issue, this has been revoked as a v2 issue, sorry for the noise
Closed suharshs closed 2 years ago
suharshs
commented
2 years ago Apologies I misread our security issue, this has been revoked as a v2 issue, sorry for the noise
There is a security vulnerability in gopkg.in/yaml.v2: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
I found that in the turbot/steampipe project this is happening because of the ghodss/yaml import. Looking through their issues, its seems they haven't responded to upgrading yet. In https://github.com/ghodss/yaml/issues/81, a user of this library that ran into the same issue created a fork with a fix: https://github.com/invopop/yaml
Can turbot/steampipe either switch to https://github.com/invopop/yaml or avoid using ghodss/yaml to resolve this security vulnerabilty?