gookit
chore: bump github.com/goccy/go-yaml to v1.18.0 to fix crypto vulnerabilities
📌 Description
This PR updates the dependency github.com/goccy/go-yaml from v1.12.0 to v1.18.0.
The previous version (v1.12.0) was pulling in an outdated release of golang.org/x/crypto that contained known security vulnerabilities. Upgrading to v1.18.0 removes those insecure transitive dependencies and ensures the project uses a maintained, patched version.
✅ Benefits
Eliminates vulnerabilities inherited from old golang.org/x/crypto versions
Keeps the project aligned with the latest stable and secure go-yaml release
No breaking API changes expected, as the update stays within the v1.x series
🔍 Notes
Ran go mod tidy to update go.mod and go.sum accordingly
Verified that no regressions or breaking changes are introduced
helo @inhere We kindly appreciate if you can address this one. This vulnerability is a blocker for a use case. Happy to provide more info if requested. Regards, Iván.
hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?
hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?
Yes, I wanted to upgrade go-yaml when I updated my dependencies the other day, but he needed go1.21+. I don't know what impact will it have on downstream dependencies after upgrading? So it was not upgraded.
hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?
Yes, I wanted to upgrade go-yaml when I updated my dependencies the other day, but he needed go1.21+. I don't know what impact will it have on downstream dependencies after upgrading? So it was not upgraded.
I see. Is there any plan to upgrade old dependencies any time soon?