Upgrade golang.org/x/text v0.3.8
serejja opened this issue · comments
Current version of go-i18n uses golang.org/x/text
v0.3.7
, which has a vulnerability (https://pkg.go.dev/vuln/GO-2022-1059):
Running govulncheck with the code that uses go-i18n results in a similar output:
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability #1: GO-20[22](...)-1059
An attacker may cause a denial of service by crafting an
Accept-Language header which ParseAcceptLanguage will take
significant time to parse.
Call stacks in your code:
Error: ...go:68:49: blabla.Get calls github.com/nicksnyder/go-i18n/v2/i18n.NewLocalizer, which eventually calls golang.org/x/text/language.ParseAcceptLanguage
Found in: golang.org/x/text/language@v0.3.7
Fixed in: golang.org/x/text/language@v0.3.8
More info: https://pkg.go.dev/vuln/GO-2022-1059
Also maybe makes sense to upgrade to latest available version, which is v0.4.0 as of today