GODRIVER-2233 Bump packr/v2 dependency version to avoid vulnerability

[padamstx]

This PR simply bumps up the version of the github.com/gobuffalo/packr/v2 dependency to be version 2.8.1.

This change is being made to address a security vulnerability that has been reported by Snyk:
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670
The remediation for this vulnerability is to use version 2.3.2 or higher of the packr package.

[padamstx]

@matthewdale Hi Matt, I'm @mentioning you here because you appear to be one of the top/recent contributors to the project. This is my first PR in the project and I probably did everything wrong, but I'm just trying to bump up the version of the packr/v2 dependency to avoid a security vulnerability in my own project (which has a 2nd-order dependency on mongo-db-driver).

Could you please point out what might be causing the checks to fail, or (ideally) perhaps submit your own PR for the change (all I changed was the version # of the packr/v2 dependency in go.mod, with the rest of the changes being the result of running go mod tidy on the project).

Thanks in advance!
Phil

[matthewdale]

Hey @padamstx, thanks for the PR!

We're actually working on removing the github.com/gobuffalo/packr/v2 dependency completely. PR #809 removes the code generation packages that use packr and we have a follow-up task (GODRIVER-2234) to remove the dependency. We're planning to release both of those changes with v1.8.0 sometime next week. Does that sound like it will resolve your issues?

[padamstx]

Hey @padamstx, thanks for the PR!

We're actually working on removing the github.com/gobuffalo/packr/v2 dependency completely. PR #809 removes the code generation packages that use packr and we have a follow-up task (GODRIVER-2234) to remove the dependency. We're planning to release both of those changes with v1.8.0 sometime next week. Does that sound like it will resolve your issues?

Yep, that should resolve it! Thanks for the quick response.

[padamstx]

@matthewdale Hi Matt, it turns out that this vulnerability is affecting a fair number of projects within the IBM Cloud group. We have one main project (https://github.com/IBM/go-sdk-core) which is a dependency for a number of client SDK projects (our client SDKs provide programmatic access to IBM Cloud services). The Go SDK core library is showing the vulnerability in our security scans due to its dependency on github.com/go-openapi/strfmt, which in turn is dependent on the mongo-go-driver module.

We have an internal deadline of 11/28 to resolve the vulnerability in our Go SDK core library (if at all possible), so I wanted to reach out to you to ask... If it looks like the new 1.8.0 release of mongo-go-driver will not be available next week, would it be possible for you to put out a patch release that bumps up the packr/v2 version as a stop-gap measure to provide relief (similar to the change in this PR)?
Once a new version of mongo-go-driver is available (either 1.8.0 or a potential stop-gap patch release), I can open a PR against the strfmt project and bump up its mongo-go-driver version accordingly.

Thank you! I appreciate your help!

[benjirewis]

Hello @padamstx ! GODRIVER-2234 (now merged) includes the removal of the packr dependency, and it should be available with both Go driver version 1.7.5 (the upcoming patch release) and Go driver version 1.8.0.

[padamstx]

Hello @padamstx ! GODRIVER-2234 (now merged) includes the removal of the packr dependency, and it should be available with both Go driver version 1.7.5 (the upcoming patch release) and Go driver version 1.8.0.

Excellent! that's great news. For planning purposes, is there an ETA on the 1.7.5 and/or 1.8.0 releases?

[benjirewis]

1.7.5 should be released early next week before Thanksgiving 🦃 , @padamstx

[padamstx]

@benjirewis Thank you!