gommon v0.3.0 uses github.com/stretchr/testify@v1.4.0 which in turns uses gopkg.in/yaml.v2@v2.2.2 which suffers a severe CVE long fixed since there is at least a v2.2.8 and even v2.4.0.
By simply, upgrading the yaml dependency, this would avoid having the CVE reported by security scanning tools (lke sonatype).
gommon v0.3.0 uses github.com/stretchr/testify@v1.4.0 which in turns uses gopkg.in/yaml.v2@v2.2.2 which suffers a severe CVE long fixed since there is at least a v2.2.8 and even v2.4.0.
By simply, upgrading the yaml dependency, this would avoid having the CVE reported by security scanning tools (lke sonatype).