Snyk vulnerability due to mongo-driver -> packr dependency
padamstx opened this issue · comments
Users of go-openapi/strfmt
have started to see security vulnerabilities related to the github.com/gobuffalo/packr/v2
module.
go-openapi/strfmt
defines go.mongodb.org/mongo-driver
as a dependency, which in turn defines github.com/gobuffalo/packr/v2
as a dependency.
Link to Snyk: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670
Opening this issue since a new version of mongo-driver will require at least a small change to strfmt to use the new version.
Is there anything that can be done within the strfmt module itself to alleviate this?
FYI... I've opened this JIRA with the mongo-driver project:
https://jira.mongodb.org/browse/GODRIVER-2233
Update: the mongo-go-driver team plans to deliver a new release (1.8.0) of their package next week which should remove entirely their dependency on the "packr/v2" module. At that time, I can submit a PR that bumps the mongo-go-driver dependency to that new version and that should address the vulnerability.
The mongo-driver team delivered a change in version 1.7.5 that completely removes the packr/v2 dependency (plus others).
I've opened this PR to modify the strfmt project to use this new mongo-driver version:
#93