Update gopkg.in/yaml.v3 to v3.0.1 #308

SaschaSchwarze0 · 2022-05-24T11:55:46Z

Based on go tool nm, the rootlesskit binary is not affected by CVE-2022-28948, but not every security scanning tool is smart enough to detect that.

AkihiroSuda · 2022-05-25T13:33:56Z

Signed-off-by: Sascha Schwarze <schwarzs@de.ibm.com>

SaschaSchwarze0 · 2022-05-31T07:01:06Z

I think this should be fixed in the testify repo https://github.com/stretchr/testify/blob/285adcc5ced0bb267a7c874cfa3ca238266ce14f/go.mod#L9

Yeah, ideally. But that's a repo with >100 pull requests where things get rarely merged, at least three of the open PRs aim to fix it (stretchr/testify#1190, stretchr/testify#1192, stretchr/testify#1193). I leave it up to you.

In the meantime, I updated the PR to go to v3.0.1 based on go-yaml/yaml#666 (comment).

AkihiroSuda · 2022-06-05T09:02:50Z

Thanks, but let me just remove testify

SaschaSchwarze0 force-pushed the sascha-update-yaml.v3 branch from 3d9fb02 to 8bf889d Compare May 24, 2022 11:56

AkihiroSuda added this to the v1.0.2 milestone May 25, 2022

AkihiroSuda removed this from the v1.0.2 milestone May 25, 2022

Update gopkg.in/yaml.v3 to v3.0.1

4ef2c37

Signed-off-by: Sascha Schwarze <schwarzs@de.ibm.com>

SaschaSchwarze0 force-pushed the sascha-update-yaml.v3 branch from 8bf889d to 4ef2c37 Compare May 31, 2022 06:57

SaschaSchwarze0 changed the title ~~Update gopkg.in/yaml.v3 to v3.0.0~~ Update gopkg.in/yaml.v3 to v3.0.1 May 31, 2022

AkihiroSuda mentioned this pull request Jun 5, 2022

Replace github.com/stretchr/testify with gotest.tools/v3 #310

Merged

AkihiroSuda closed this Jun 5, 2022

Provide feedback