Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrade objx to fix vulnerability #1280

Closed
wants to merge 1 commit into from

Conversation

joaocbarbosa
Copy link

Summary

This PR is to upgrade the objx dependency from 0.4.0 to 0.5.0

Changes

Changed go.mod and go.sum files

Motivation

Since the objx package 0.5.0 was released with a vulnerability fix made by dependabot, we could use the newest version of it.
This also will fix a vulnerability found in objx 0.4.0, by using the yamlv3 3.0.0 indirectly throught testify 1.7.1.

current dependency tree

- objx v0.4.0
   - testify v1.7.1
      - yaml.v3 v3.0.0

Vulnerability details:
https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml
https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714

What was added between 0.4.0 and 0.5.0
stretchr/objx@v0.4.0...v0.5.0

Related issues

stretchr/objx#124

@paulolimarb
Copy link

@ernesto-jimenez
@matryer

Please consider accept this pull request.

Thank you very much

Copy link

@silviolleite silviolleite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very important 👍

@joaocbarbosa
Copy link
Author

upgraded by dependabot in PR #1283

@dolmen dolmen added the dependencies Pull requests that update a dependency file label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants