deepmap
feat: add support for x-omitzero
SSIA
I do not want to add this by default, not sure what consequences would be, but I want to be able to start playing around with it.
I can do add documentation as well to the README if you like it.
Any other comments? This aligns with prior art and does not break anything existing.
Kusari Analysis Results
Analysis for commit: 83987ceee0ae5f3915aa18cee64c79e18d1c72ec, performed at: 2025-07-15T08:36:58Z
• @kusari-inspector rerun - Trigger a re-analysis of this PR
• @kusari-inspector feedback [your message] - Send feedback to our AI and team
Recommendation
⛔ DO NOT PROCEED with this Pull Request without addressing the issues
Summary
⚠️ Flagged Issues Detected ⚠️
This Pull Request contains flagged issues that may introduce security risks.
This PR introduces a dependency with a HIGH severity vulnerability. The github.com/getkin/kin-openapi v0.128.0 package contains CVE-2025-30153, which allows for data amplification attacks (ZIP bombs) when validating multipart/form-data requests. This vulnerability is fixed in version 0.131.0, but the PR is using an older vulnerable version. Additionally, several newly added dependencies have maintenance concerns with 0/10 scores, indicating they are not actively maintained.
Mitigations
Required Dependency Mitigations
- Update github.com/getkin/kin-openapi from v0.128.0 to at least v0.131.0 to address the HIGH severity vulnerability (CVE-2025-30153) related to ZIP bomb attacks.
- Consider updating other dependencies to their latest versions where available, particularly golang.org/x/mod (v0.17.0 → v0.25.0), golang.org/x/text (v0.20.0 → v0.26.0), and golang.org/x/tools (current → v0.35.0).
Found this helpful? Give it a 👍 or 👎 reaction!
Click to expand for details and specific link to issues
Dependency Changes
| Status | Package | Change | Version | Latest Version | Advisories | License |
|---|---|---|---|---|---|---|
| ⚠️ Flagged | github.com/go-openapi/jsonpointer | added | 0.21.0 | v0.21.1 | None | Apache-2.0 (permissive) |
| ⚠️ Flagged | github.com/invopop/yaml | added | 0.3.1 | v0.3.1 | None | BSD-3-Clause (permissive), MIT (permissive) |
| ⚠️ Flagged | github.com/josharian/intern | added | 1.0.0 | v1.0.0 | None | MIT (permissive) |
| ⚠️ Flagged | github.com/mailru/easyjson | added | 0.7.7 | v0.9.0 | None | MIT (permissive) |
| ⚠️ Flagged | github.com/go-openapi/swag | added | 0.23.0 | v0.23.1 | None | Apache-2.0 (permissive) |
| ⚠️ Flagged | github.com/perimeterx/marshmallow | added | 1.1.5 | v1.1.5 | None | MIT (permissive) |
| ⚠️ Flagged | github.com/davecgh/go-spew | added | 1.1.1 | v1.1.1 | None | ISC (permissive) |
| ⚠️ Flagged | github.com/mohae/deepcopy | added | 0.0.0-20170929034955-c48cc78d4826 | v0.0.0-20170929034955-c48cc78d4826 | None | MIT (permissive) |
| ⚠️ Flagged | github.com/pmezard/go-difflib | added | 1.0.0 | v1.0.0 | None | BSD-3-Clause (permissive) |
| ⚠️ Flagged | github.com/vmware-labs/yaml-jsonpath | added | 0.3.2 | v0.3.2 | None | Apache-2.0 (permissive) |
| ❓ Uncertain | stdlib | added | 1.24 | Unknown | None | Unknown |
| ❓ Uncertain | ../../../ | added | Unknown | None | Unknown | |
| ⚠️ Flagged | github.com/getkin/kin-openapi | added | 0.128.0 | v0.132.0 | 1 found | MIT (permissive) |
Security Advisories
github.com/getkin/kin-openapi:
-
CVE-2025-30153: Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter CVSS Vector String: 7.50 CISA KEV: Not found EPSS Percentile: 0.25
https://osv.dev/vulnerability/CVE-2025-30153
Risk Details
github.com/go-openapi/jsonpointer: Scorecard Checks for pkg:golang/github.com%2Fgo-openapi%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 0/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/invopop/yaml: Scorecard Checks for pkg:golang/github.com%2Finvopop%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 0/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/josharian/intern: Scorecard Checks for pkg:golang/github.com%2Fjosharian%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 2/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/mailru/easyjson: Scorecard Checks for pkg:golang/github.com%2Fmailru%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 5/10
github.com/go-openapi/swag: Scorecard Checks for pkg:golang/github.com%2Fgo-openapi%[email protected]:
- maintained: 2/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 0/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/perimeterx/marshmallow: Scorecard Checks for pkg:golang/github.com%2Fperimeterx%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 3/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/davecgh/go-spew: Scorecard Checks for pkg:golang/github.com%2Fdavecgh%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 6/10
github.com/mohae/deepcopy: Scorecard Checks for pkg:golang/github.com%2Fmohae%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 1/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/pmezard/go-difflib: Scorecard Checks for pkg:golang/github.com%2Fpmezard%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 1/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/vmware-labs/yaml-jsonpath: Scorecard Checks for pkg:golang/github.com%2Fvmware-labs%[email protected]:
- maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
- code-review: 1/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.
github.com/getkin/kin-openapi: Scorecard Checks for pkg:golang/github.com%2Fgetkin%[email protected]:
- maintained: 8/10
- code-review: 9/10
Safe Dependency Changes
| Status | Package | Change | Version | Latest Version | Advisories | License |
|---|---|---|---|---|---|---|
| ✅ Safe | gopkg.in/yaml.v3 | added | 3.0.1 | v3.0.1 | None | Apache-2.0 (permissive), MIT (permissive) |
| ✅ Safe | github.com/stretchr/testify | added | 1.10.0 | v1.10.0 | None | MIT (permissive) |
| ✅ Safe | golang.org/x/text | added | 0.20.0 | v0.26.0 | None | BSD-3-Clause (permissive) |
| ✅ Safe | gopkg.in/yaml.v2 | added | 2.4.0 | v2.4.0 | None | Apache-2.0 (permissive) |
| ✅ Safe | github.com/dprotaso/go-yit | added | 0.0.0-20220510233725-9ba8df137936 | v0.0.0-20250704131239-f7e42b186c1e | None | MIT (permissive) |
| ✅ Safe | golang.org/x/mod | added | 0.17.0 | v0.25.0 | None | BSD-3-Clause (permissive) |
| ✅ Safe | github.com/speakeasy-api/jsonpath | added | 0.6.0 | v0.6.2 | None | Apache-2.0 (permissive) |
| ✅ Safe | github.com/speakeasy-api/openapi-overlay | added | 0.10.2 | v0.10.3 | None | MIT (permissive) |
| ✅ Safe | golang.org/x/tools | added | 0.21.1-0.20240508182429-e35e4ccd0d2d | v0.35.0 | None | BSD-3-Clause (permissive) |
![kusari-inspector[bot] avatar](https://avatars.githubusercontent.com/in/1220830?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kusari PR Analysis rerun based on - 2e1860452761bd21df6d839cd1a93d12afb5c998 performed at: 2025-07-14T20:21:54Z - link to updated analysis
(Ignore that check, it's fine!)
I'm still working on this one - trying to get a good example of exactly how omitzero works and what differences in behaviour we'll see - largely out of my own learning!
Kusari PR Analysis rerun based on - 9cfaf202bbb35fbfc4b5aa673ebe4fb4e905ead5 performed at: 2025-07-14T20:31:16Z - link to updated analysis
Kusari PR Analysis rerun based on - e5d75ff542d91668f27fbc49db9da8783fc79c8e performed at: 2025-07-15T08:10:07Z - link to updated analysis
I'll follow-up with a PR to allow tuning only one or the other of omitempty and omitzero in case folks want more control
Kusari PR Analysis rerun based on - 83987ceee0ae5f3915aa18cee64c79e18d1c72ec performed at: 2025-07-15T08:36:58Z - link to updated analysis