This repository has been archived by the owner on Jun 25, 2022. It is now read-only.
Security vulnerability in required package #287
Comments
|
I'm not 100% sure, or the impact of it, but it looks like it pulls in other vulnerable dependencies as well: Cobra v0.0.6 -> viper v1.4.0 -> prometheus/client_golang v0.9.3 -> prometheus/tsdb v0.7.1 -> gogo/protobuf v.1.1.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121 |
|
Do we need to file a new CVE for packr, if that would raise some attention? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
packr v2 is currently using https://github.com/spf13/cobra v0.0.6 which will then use github.com/gorilla/websocket v1.4.0 which contains a security vulnerability. See the published security advisory for more details.
Updating v2 to use https://github.com/spf13/cobra v1.0.0 and above would resolve this issue.
I've tried updating locally and the tests ran without issues.
The text was updated successfully, but these errors were encountered: