In the latest release (v1.8.1), github.com/stretchr/testify v1.2.2 is being used. Unfortunately, this dependency is using a vulnerable version of gopkg.in/yaml.v2. See GHSA-wxc4-f4m6-wwqv for more info.

github.com/stretchr/testify bumped the version of YAML in the meantime and your go.mod got updated as well. Unfortunately, the update happended in 9b555f4, a few days after the last release.

I believe there is no immediate security risk as it's only used in test code and not production code. But would be nice if a patch release could be created to bump the dependencies. Is there any release planned soon?

As a temporary workaround, we could add following line to our go.mod files as a workaround, but this might have unexpected impact on other dependencies:

replace github.com/stretchr/testify => github.com/stretchr/testify v1.7.0

This issue is stale because it has been open for 30 days with no activity.

Kind bump

@JensSkipr can you provide a MR to fix that ? I'll happily merge that and tag a new release for that.

@dgsb the fix already happened by 9b555f4. So, tagging a new version is enough to have it fixed.

This issue is stale because it has been open for 30 days with no activity.

This issue was closed because it has been inactive for 14 days since being marked as stale.