Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump golang.org/x/text dependency to fix CVE-2021-38561 #881

Merged
merged 2 commits into from
Mar 8, 2022
Merged

bump golang.org/x/text dependency to fix CVE-2021-38561 #881

merged 2 commits into from
Mar 8, 2022

Conversation

CrawX
Copy link
Contributor

@CrawX CrawX commented Jan 11, 2022

Fixes CVE-2021-38561 by bumping golang.org/x/text dependency to most recent

Fixes https://cve.report/CVE-2021-38561 / https://deps.dev/advisory/OSV/GO-2021-0113. Seems to build and test fine.
Finding came up in automated source code checks.

Make sure that you've checked the boxes below before you submit PR:

  • [n/a] Tests exist or have been written that cover this particular change.

@go-playground/validator-maintainers

@coveralls
Copy link

coveralls commented Jan 11, 2022
edited
Loading

Coverage Status

Coverage remained the same at 75.136% when pulling fdd0e7d on CrawX:CVE-2021-38561 into dd2de9c on go-playground:master.

@BenHall-1 BenHall-1 mentioned this pull request Feb 15, 2022
Closed
2 tasks
zemzale
zemzale approved these changes Feb 19, 2022
View reviewed changes
Copy link
Member

@zemzale zemzale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@BenHall-1
Copy link

Any update on when this will be going in?

bnevis-i
bnevis-i approved these changes Mar 2, 2022
View reviewed changes
Copy link

@bnevis-i bnevis-i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EdgeX Foundry would like this request to be merged.

@BenHall-1
Copy link

@deankarn can you merge this? We have our microservices relying on this api but cannot go into prod with having this vulnerability in here

@deankarn
Copy link
Contributor

deankarn commented Mar 3, 2022

I’ll try to take a look at this tomorrow, however, FWIW I’m almost 100% sure this is not exploitable through this package.

@CrawX
Copy link
Contributor Author

CrawX commented Mar 3, 2022

@BenHall-1 why don't you override the dependency in your project, eg go get golang.org/x/[email protected]?
I'm not saying this shouldn't be merged but this should not block you :)

@deankarn deankarn requested a review from a team as a code owner March 8, 2022 01:26
@deankarn deankarn merged commit 3e49fe4 into go-playground:master Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AaronRobson AaronRobson AaronRobson approved these changes

@zemzale zemzale zemzale approved these changes

@bnevis-i bnevis-i bnevis-i approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@CrawX @coveralls @BenHall-1 @deankarn @AaronRobson @zemzale @bnevis-i