websocket
websocket copied to clipboard
nhooyr
Update github.com/gin-gonic/gin
Hi!
Could you please update the https://github.com/gin-gonic/gin. Github Dependabot send alerts to projects uses your nhooyr/websocket project because you use the https://github.com/gin-gonic/gin v1.6.3, but they need Patched version: 1.7.0.
See the message:
CVE-2020-28483 high severity Vulnerable versions: < 1.7.0 Patched version: 1.7.0 This affects all versions of package https://github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
I have use your https://github.com/nhooyr/websocket project in my https://github.com/kirill-scherba/teowebrtc project for make webrtc signaling client/server and this Github Dependabot alert is placed in my project page now :-)
I think you need just execute go get -u and publish new tag!
Thanks. Best regards, Kirill Scherba.
P.S. There is PR which fix this issue: https://github.com/nhooyr/websocket/pull/310
I actuallly wonder how this is "single dependency" with all the other modules needed :)
I'm also for the dependency removal, then struggle with its upgrades. It bothers both gin users or no. AFAIK it's used only for integration test.
The same is about github.com/gobwas/ws and github.com/gorilla/websocket that are listed as dependency while they not.
All dependencies other than klauspost/compress are for tests alone. And dev has no dependencies whatsoever though I don't suggest running it in production yet.
I'll remove gin soon and move the third party tests into a different module so they don't show up and cause all this confusion.