Skip to content

Update golang.org/x/text to v0.3.7 (fix CVE-2021-38561) #512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 9, 2021
Merged

Update golang.org/x/text to v0.3.7 (fix CVE-2021-38561) #512

merged 1 commit into from
Dec 9, 2021
+3 −1

Conversation

@pjbgf
Copy link
Member

@pjbgf pjbgf commented Dec 9, 2021

Security Advisories fixed:

golang.org/x/text v0.3.7
IDs: GO-2021-0113
Links:
https://osv.dev/vulnerability/GO-2021-0113

Bump dependencies to patch security advisories
24ab11d 
Advisories fixed:
golang.org/x/text GO-2021-0113

Signed-off-by: Paulo Gomes <[email protected]>
@stefanprodan
Copy link
Member

stefanprodan commented Dec 9, 2021

This doesn't removes the affected version from go.sum so I guess scanners will report this nevertheless.

@pjbgf
Copy link
Member Author

pjbgf commented Dec 9, 2021

Go uses MVS to find the minimum required version. So this change will ensure it will only consider v0.3.7+, and should also reflect scanners.

Example of similar change on kubebuilder:
Before: https://deps.dev/go/sigs.k8s.io%2Fkubebuilder%2Fv3/v3.0.0-alpha.0.0.20211203185037-c869ec1a0c7c
After: https://deps.dev/go/sigs.k8s.io%2Fkubebuilder%2Fv3/v3.0.0-alpha.0.0.20211205153232-0036a354829c

For more in-depth discussion:
kubernetes-sigs/kubebuilder#2438 (comment)

stefanprodan
stefanprodan approved these changes Dec 9, 2021
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @pjbgf for the clarifications 🏅

@stefanprodan stefanprodan added the area/ci CI related issues and pull requests label Dec 9, 2021
@stefanprodan stefanprodan changed the title Bump dependencies to patch security advisories Update golang.org/x/text to v0.3.7 (fix CVE-2021-38561) Dec 9, 2021
@stefanprodan stefanprodan merged commit 2bb2fb2 into fluxcd:main Dec 9, 2021
@pjbgf pjbgf deleted the security-advisories branch December 9, 2021 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

No one assigned

Labels

area/ci CI related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pjbgf @stefanprodan