Upgrade golang.org/x/text v0.3.8

Question

Upgrade golang.org/x/text v0.3.8

serejja opened this issue 2 years ago · comments

Current version of go-i18n uses golang.org/x/text v0.3.7, which has a vulnerability (https://pkg.go.dev/vuln/GO-2022-1059):

Running govulncheck with the code that uses go-i18n results in a similar output:

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-20[22](...)-1059
  An attacker may cause a denial of service by crafting an
  Accept-Language header which ParseAcceptLanguage will take
  significant time to parse.

  Call stacks in your code:
Error:       ...go:68:49: blabla.Get calls github.com/nicksnyder/go-i18n/v2/i18n.NewLocalizer, which eventually calls golang.org/x/text/language.ParseAcceptLanguage

  Found in: golang.org/x/text/language@v0.3.7
  Fixed in: golang.org/x/text/language@v0.3.8
  More info: https://pkg.go.dev/vuln/GO-2022-1059

Serhii Novachenko · Answer 1 · Tue Nov 01 2022 21:02:58 GMT+0800 (China Standard Time)

Also maybe makes sense to upgrade to latest available version, which is v0.4.0 as of today