Skip to content

upgrade objx to fix vulnerability#1280

Closed
joaocbarbosa wants to merge 1 commit intostretchr:masterfrom
joaocbarbosa:master
Closed

upgrade objx to fix vulnerability#1280
joaocbarbosa wants to merge 1 commit intostretchr:masterfrom
joaocbarbosa:master

Conversation

@joaocbarbosa
Copy link
Copy Markdown

@joaocbarbosa joaocbarbosa commented Oct 15, 2022

Summary

This PR is to upgrade the objx dependency from 0.4.0 to 0.5.0

Changes

Changed go.mod and go.sum files

Motivation

Since the objx package 0.5.0 was released with a vulnerability fix made by dependabot, we could use the newest version of it.
This also will fix a vulnerability found in objx 0.4.0, by using the yamlv3 3.0.0 indirectly throught testify 1.7.1.

current dependency tree

- objx v0.4.0
   - testify v1.7.1
      - yaml.v3 v3.0.0

Vulnerability details:
https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml
https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714

What was added between 0.4.0 and 0.5.0
stretchr/objx@v0.4.0...v0.5.0

Related issues

stretchr/objx#124

@paulolimarb
Copy link
Copy Markdown

paulolimarb commented Oct 15, 2022

@ernesto-jimenez
@matryer

Please consider accept this pull request.

Thank you very much

silviolleite
silviolleite approved these changes Oct 19, 2022
View reviewed changes
Copy link
Copy Markdown

@silviolleite silviolleite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very important 👍

@joaocbarbosa
Copy link
Copy Markdown
Author

joaocbarbosa commented Oct 20, 2022

upgraded by dependabot in PR #1283

@dolmen dolmen added the dependencies Pull requests that update a dependency file label Mar 19, 2024
@dolmen dolmen mentioned this pull request Mar 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

8 more reviewers

@nickel nickel nickel approved these changes

@alvadorn alvadorn alvadorn approved these changes

@silviolleite silviolleite silviolleite approved these changes

@paulolimarb paulolimarb paulolimarb approved these changes

@odilonjk odilonjk odilonjk approved these changes

@isaacgdo isaacgdo isaacgdo approved these changes

@marcosdcl marcosdcl marcosdcl approved these changes

@mamazinho mamazinho mamazinho approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@joaocbarbosa @paulolimarb @nickel @alvadorn @silviolleite @odilonjk @isaacgdo @marcosdcl @mamazinho @dolmen