Description
Hi! I just go a security warning by Github because a dependency used by this project is marked as vulnerable. It can be found here https://github.com/advisories/GHSA-hp87-p4gw-j4gq. The package is gopkg.in/yaml.v3 which is resolved in the current master, but the latest release (1.7.7) is over a year old and does not contain this fix.
It would be nice if you guys would create a new version of this module.
Comment From: sampalm
Hi I'm also looking for a solution for this problem as well. For now what should we do?
Comment From: MCWertGaming
I have researched, but no really found a way to just use the master branch in GO. Would be cool if the maintainers of this project would just do minor or patch releases every week. This is really concerning.
Comment From: MCWertGaming
Hey @thinkerou since you are a maintainer of gin-gonic, can you please comment on this?
Comment From: thinkerou
@MCWertGaming please see #3160 when we use go-yaml v3, the unit test exception:
=== RUN TestRenderYAML
render_test.go:240:
Error Trace: render_test.go:240
Error: Not equal:
expected: "\"\\na : Easy!\\nb:\\n\\tc: 2\\n\\td: [3, 4]\\n\\t\"\n"
actual : "|4-\n a : Easy!\n b:\n \tc: 2\n \td: [3, 4]\n \t\n"
Diff:
--- Expected
+++ Actual
@@ -1,2 +1,7 @@
-"\na : Easy!\nb:\n\tc: 2\n\td: [3, 4]\n\t"
+|4-
+ a : Easy!
+ b:
+ c: 2
+ d: [3, 4]
+
Test: TestRenderYAML
Comment From: MCWertGaming
@thinkerou thank you really much for looking into this. I have just seen that the master is using go-yaml.v2 but has it as a dependency. Any idea if the unit test broke because of a problem in V3 of the module? Or is it possible that the usage changed?
If no one is already looking into looking into a fix, I could check on that.
Comment From: thinkerou
https://github.com/advisories/GHSA-hp87-p4gw-j4gq I have fixed, please check! please commit pr, thanks!
Comment From: hakandilek
@thinkerou on which PR did you fix this? Can you please link?
I think the fix is not in v1.8.0. I still see both yaml.v2 v2.4.0 and yaml.v3 v3.0.0
Comment From: MCWertGaming
True, the current master uses V2 https://github.com/gin-gonic/gin/blob/master/go.mod#L16.
Comment From: appleboy
See v1.8.0 https://github.com/gin-gonic/gin/releases/tag/v1.8.0
Comment From: appleboy
@hakandilek @MCWertGaming Please help to review the https://github.com/gin-gonic/gin/pull/3164 PR. I will bump v1.8.1 after merging.
Comment From: appleboy
Yaml v2 version can't reproduce the issue. See the comment https://github.com/go-yaml/yaml/issues/666#issuecomment-1133337993
Comment From: appleboy
I will close the issue. Please feel free to reopen the issue if any further problems.
Comment From: MCWertGaming
Hey @appleboy shouldn't we upgrade to V3 nevertheless? I mean when V3 is vulnerable, it's probably just a matter of time until V2 shows first vulnerabilities as well. Also i'm not sure if it makes sense to use 2 versions of the same dependency in parallel.