Security Vulnerability: Update grpc version to at least 1.58.3
RohanNagar opened this issue · comments
Recently a CVE was discovered which affects the current version of grpc used by this tool.
Please update google.golang.org/grpc
to 1.58.3
or higher.
But grpcurl doesn't act as an http server? So how are we actually vulnerable?
In other words, I don't see any urgency on this. Dependabot will eventually push an update.
Agreed that the vulnerability shouldn't actually affect grpcurl. Unfortunately, security scanners are flagging this for us so we are looking to have the package upgraded.
+1
+1 . Please :)
This was already fixed here: #427
@dragonsinth any idea when the next release will be?
IDK, I guess we could do one soon. I figure anyone who super-cares can build from code using the latest Go, to also pull in any hypothetical Golang fixes.