logrus icon indicating copy to clipboard operation
logrus copied to clipboard
verified publisher icon sirupsen

Fixes sirupsen/logrus#1434 - Update stretchr/testify to v1.9.0 to resolve 2 High sev vulnerabilities

Open abetterbuilder opened this issue 1 year ago • 2 comments

Fixes sirupsen/logrus#1434

abetterbuilder avatar Jun 07 '24 17:06 abetterbuilder

I'm not sure where the config for the windows AppVeyor runner is to make the version of GO set to 1.18. The updates here appear to require 1.18 as the minimum version. I've updated all the CI yaml files to use 1.18 as a minimum but still erroring in the windows runner.

abetterbuilder avatar Jun 07 '24 17:06 abetterbuilder

One do not change the minimum go version of a project just to fix a vulnerability in a remote dependency which is not even used in the project.

  • the "vulnerability" is in gopkg.in/yaml.v3 v3.0.0 (fixed in v3.0.1)
  • logrus uses packages github.com/stretchr/testify/assert and github.com/stretchr/testify/require ONLY in its testsuite
  • github.com/stretchr/testify/assert uses gopkg.in/yaml.v3 only for YAMLEq and YAMLEqf which the logrus testsuite doesn't use
  • github.com/stretchr/testify now has a build tag that allows to stop linking with gopkg.in/yaml.v3 See stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).

So this is not at all "2 high severity vulnerabilities". This PR is just FUD and completely useless.

Disclaimer: I'm one Testify co-maintainer.

dolmen avatar Jun 25 '24 12:06 dolmen

This was superseded by https://github.com/sirupsen/logrus/pull/1460

thaJeztah avatar Aug 04 '25 13:08 thaJeztah