image-spec icon indicating copy to clipboard operation
image-spec copied to clipboard
verified publisher icon opencontainers

fix(sec): upgrade gopkg.in/yaml.v3 to 3.0.0

Open Huoxi-any opened this issue 3 years ago • 2 comments

What happened?

There are 1 security vulnerabilities found in gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b

What did I do?

Upgrade gopkg.in/yaml.v3 from v3.0.0-20210107192922-496545a6307b to 3.0.0 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

Huoxi-any avatar Nov 04 '22 10:11 Huoxi-any

Since this is indirect, we should push upstream to update their dependencies:

$ go mod why gopkg.in/yaml.v3
# gopkg.in/yaml.v3
github.com/opencontainers/image-spec/schema
github.com/xeipuuv/gojsonschema
github.com/xeipuuv/gojsonschema.test
github.com/stretchr/testify/assert
gopkg.in/yaml.v3

It doesn't look like gojsonschema has been touched in a while, so that may be a sign that we should investigate other options.

sudo-bmitch avatar Nov 08 '22 01:11 sudo-bmitch

I think it can be ok to update the version to be ahead of what go modules resolved to, if we have a good reason. Go modules define the minimum compatible version, but SemVer allows for more current (minor/patch) releases to be used. Updating the indirect would allow us to "recommend" / "force" our consumers to follow.

thaJeztah avatar Apr 19 '23 12:04 thaJeztah

We fixed this be removing the yaml dependency entirely.

sudo-bmitch avatar Jul 18 '24 14:07 sudo-bmitch