packr icon indicating copy to clipboard operation
packr copied to clipboard

Published 20 hours ago verified publisher icon gobuffalo

Security vulnerability in required package

Open nywleswoey opened this issue 3 years ago • 2 comments

packr v2 is currently using https://github.com/spf13/cobra v0.0.6 which will then use github.com/gorilla/websocket v1.4.0 which contains a security vulnerability. See the published security advisory for more details.

Updating v2 to use https://github.com/spf13/cobra v1.0.0 and above would resolve this issue.

I've tried updating locally and the tests ran without issues.

nywleswoey avatar May 25 '21 01:05 nywleswoey

I'm not 100% sure, or the impact of it, but it looks like it pulls in other vulnerable dependencies as well: Cobra v0.0.6 -> viper v1.4.0 -> prometheus/client_golang v0.9.3 -> prometheus/tsdb v0.7.1 -> gogo/protobuf v.1.1.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

bjanders avatar Nov 08 '21 11:11 bjanders

Do we need to file a new CVE for packr, if that would raise some attention?

bjanders avatar Nov 08 '21 11:11 bjanders