Please publish new version with your updated dependencies

Question

Please publish new version with your updated dependencies

sseide opened this issue a year ago · comments

Hello,

can you please publish a new version with all the updated dependencies you already have? They will silence security scanner because a lot of different vulnerable dependencies are updated now.

Thanks in advance,
S. Seide

Alberto Hormazabal · Answer 1 · Sat Jun 03 2023 00:34:26 GMT+0800 (China Standard Time)

Hello,
We also are being challenged on our use of this tool, as the current version of golang is subject of many vulnerabilities, some of these include:
CVE-2022-41716
CVE-2022-32190
CVE-2022-38149
CVE-2022-32149

Is there an update path to provide a newer version with updated dependencies?

Rene Kaufmann · Answer 2 · Sat Jun 03 2023 05:04:39 GMT+0800 (China Standard Time)

Sorry for the delay. I will create a new Release once Go 1.20.5 is released next week.

https://groups.google.com/g/golang-announce/c/1AItFMBjrfw/m/jgn2iuoFAgAJ?utm_medium=email&utm_source=footer

sseide · Answer 3 · Mon Jun 05 2023 18:27:44 GMT+0800 (China Standard Time)

Yes - and current release has following problems too - parts are already fixed with current master.
Might be fixed with GoLang update too (i have not checked)

golang.org/x/net GHSA-69cg-p879-7622
golang.org/x/crypto GHSA-8c26-wmh5-6g9v
golang.org/x/sys/unix GHSA-p782-xgp4-8hr8
github.com/prometheus/client_golang GHSA-cg3q-j54f-5p7p (master fixed)
golang.org/x/net GHSA-vvpx-j8f3-3w6h (master fixed)

Rene Kaufmann · Answer 4 · Tue Jun 06 2023 20:45:37 GMT+0800 (China Standard Time)

@sseide these are all fixed already in master.
Will cut a new release later today.