gosigar icon indicating copy to clipboard operation
gosigar copied to clipboard
verified publisher icon cloudfoundry

security issue from dependency on gopkg.in/yaml.v2

Open wei-zhao4 opened this issue 3 years ago • 1 comments

gopkg.in/yaml.v2 is a YAML support package for the Go language. Affected versions of this package are vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting to deserialize invalid input. Please see https://www.google.com/search?client=firefox-b-1-d&q=gopkg.in%2Fyaml.v2+security+issue

The current release of https://github.com/cloudfoundry/gosigar has a dependency on a 5 years old package github.com/onsi/gomega v1.2.0, which has dependency on gopkg.in/[email protected].

The dependency should be updated to newer version of gomega v1.20.0, not gomega v1.2.0

wei-zhao4 avatar Aug 23 '22 21:08 wei-zhao4

@wei-zhao4 given that gomega is only a test dependency without any runtime use, there is no urgency to fix this issue. However, we are happy to review a PR addressing the proposed dependency bump.

rkoster avatar Sep 08 '22 15:09 rkoster

Closing due to inactivity

rkoster avatar Dec 15 '22 16:12 rkoster