Snyk vulnerability due to mongo-driver -> packr dependency

Question

Snyk vulnerability due to mongo-driver -> packr dependency

padamstx opened this issue 3 years ago · comments

Users of go-openapi/strfmt have started to see security vulnerabilities related to the github.com/gobuffalo/packr/v2 module.
go-openapi/strfmt defines go.mongodb.org/mongo-driver as a dependency, which in turn defines github.com/gobuffalo/packr/v2 as a dependency.
Link to Snyk: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670

Opening this issue since a new version of mongo-driver will require at least a small change to strfmt to use the new version.

Is there anything that can be done within the strfmt module itself to alleviate this?

Phil Adams · Answer 1 · Wed Nov 17 2021 01:37:42 GMT+0800 (China Standard Time)

FYI... I've opened this JIRA with the mongo-driver project:
https://jira.mongodb.org/browse/GODRIVER-2233

Phil Adams · Answer 2 · Thu Nov 18 2021 07:22:10 GMT+0800 (China Standard Time)

Update: the mongo-go-driver team plans to deliver a new release (1.8.0) of their package next week which should remove entirely their dependency on the "packr/v2" module. At that time, I can submit a PR that bumps the mongo-go-driver dependency to that new version and that should address the vulnerability.

Phil Adams · Answer 3 · Wed Nov 24 2021 03:11:33 GMT+0800 (China Standard Time)

The mongo-driver team delivered a change in version 1.7.5 that completely removes the packr/v2 dependency (plus others).
I've opened this PR to modify the strfmt project to use this new mongo-driver version:
#93