Closed farens closed 3 years ago
First, let me say thank you for this lovely library: Thank you! :)
I found a potential CVE in an indirect dependency of lecho: https://ossindex.sonatype.org/vulnerability/c16fb56d-9de6-4065-9fca-d2b4cfb13020?component-type=golang&component-name=github.com%2Fdgrijalva%2Fjwt-go&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.22
You can test it yourself to validate this PR by executing:
go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth
The update of echo v4.4.0 to v4.5.0 fixes this CVE.
The update of zerolog from v1.23.0 to v1.24.0 is chore only. It's not about the mentioned CVE at all.
Good catch! Thank you!
ziflex
commented
3 years ago ziflex
commented
3 years ago
First, let me say thank you for this lovely library: Thank you! :)
I found a potential CVE in an indirect dependency of lecho: https://ossindex.sonatype.org/vulnerability/c16fb56d-9de6-4065-9fca-d2b4cfb13020?component-type=golang&component-name=github.com%2Fdgrijalva%2Fjwt-go&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.22
You can test it yourself to validate this PR by executing:
The update of echo v4.4.0 to v4.5.0 fixes this CVE.
The update of zerolog from v1.23.0 to v1.24.0 is chore only. It's not about the mentioned CVE at all.