Skip to content

upgrade objx to fix vulnerability #1280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

upgrade objx to fix vulnerability #1280

wants to merge 1 commit into from

Conversation

joaocbarbosa
Copy link

Summary

This PR is to upgrade the objx dependency from 0.4.0 to 0.5.0

Changes

Changed go.mod and go.sum files

Motivation

Since the objx package 0.5.0 was released with a vulnerability fix made by dependabot, we could use the newest version of it.
This also will fix a vulnerability found in objx 0.4.0, by using the yamlv3 3.0.0 indirectly throught testify 1.7.1.

current dependency tree

- objx v0.4.0
   - testify v1.7.1
      - yaml.v3 v3.0.0

Vulnerability details:
https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml
https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714

What was added between 0.4.0 and 0.5.0
stretchr/objx@v0.4.0...v0.5.0

Related issues

stretchr/objx#124

@paulolimarb
Copy link

@ernesto-jimenez
@matryer

Please consider accept this pull request.

Thank you very much

silviolleite
silviolleite approved these changes Oct 19, 2022
View reviewed changes
Copy link

@silviolleite silviolleite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very important 👍

@joaocbarbosa
Copy link
Author

upgraded by dependabot in PR #1283

@dolmen dolmen added the dependencies Pull requests that update a dependency file label Mar 19, 2024
@dolmen dolmen mentioned this pull request Mar 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
8 more reviewers

@nickel nickel nickel approved these changes

@alvadorn alvadorn alvadorn approved these changes

@silviolleite silviolleite silviolleite approved these changes

@paulolimarb paulolimarb paulolimarb approved these changes

@odilonjk odilonjk odilonjk approved these changes

@isaacgdo isaacgdo isaacgdo approved these changes

@marcosdcl marcosdcl marcosdcl approved these changes

@mamazinho mamazinho mamazinho approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@joaocbarbosa @paulolimarb @nickel @alvadorn @silviolleite @odilonjk @isaacgdo @marcosdcl @mamazinho @dolmen