Dependency update to fix CVEs

Open TheoBrigitte opened this issue 3 years ago • 0 comments

Towards: https://github.com/getsentry/sentry-go/issues/465

On latest master , nancy found 4 vulnerable dependencies with 5 high to critical CVEs.

pkg:golang/github.com/kataras/iris/[email protected] : CVE-2021-23772 ( CVSS Score : 8.8/10 (High) )
pkg:golang/github.com/microcosm-cc/[email protected] : CVE-2021-42576 ( CVSS Score : 9.8/10 (Critical )
pkg:golang/github.com/nats-io/[email protected] : CVE-2020-26892 ( CVSS Score : 9.8/10 (Critical) )
pkg:golang/github.com/nats-io/[email protected] : CVE-2021-3127 ( CVSS Score : 7.5/10 (High) )
pkg:golang/github.com/valyala/[email protected] : CVE-2022-21221 ( CVSS Score : 7.5/10 (High) )

This PR updates dependencies to get rid of those CVEs.

Direct dependencies update (manually triggered) :

github.com/kataras/iris/v12 v12.1.8 => v12.2.0-beta4
github.com/valyala/fasthttp v1.6.0 => v1.34.0

Notable indirect dependencies update (done automatically by go) :

github.com/microcosm-cc/bluemonday v1.0.2 => v1.0.19
github.com/nats-io/jwt v0.3.0 => removed

Aug 08 '22 16:08 TheoBrigitte