Create patch release to fix CVE-2019-11254 alert
JensSkipr opened this issue · comments
In the latest release (v1.8.1), github.com/stretchr/testify v1.2.2
is being used. Unfortunately, this dependency is using a vulnerable version of gopkg.in/yaml.v2
. See GHSA-wxc4-f4m6-wwqv for more info.
github.com/stretchr/testify
bumped the version of YAML in the meantime and your go.mod
got updated as well. Unfortunately, the update happended in 9b555f4, a few days after the last release.
I believe there is no immediate security risk as it's only used in test code and not production code. But would be nice if a patch release could be created to bump the dependencies. Is there any release planned soon?
As a temporary workaround, we could add following line to our go.mod
files as a workaround, but this might have unexpected impact on other dependencies:
replace github.com/stretchr/testify => github.com/stretchr/testify v1.7.0
This issue is stale because it has been open for 30 days with no activity.
Kind bump
@JensSkipr can you provide a MR to fix that ? I'll happily merge that and tag a new release for that.
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.