Conversation
stefanb
force-pushed
the
bump-dependancies
branch
from
c521cf8 to
7a640f5
Compare
|
this seems ok small rant: but I have a remark about that golang/net@4a2d37e this affect only test files. If your tools are reporting these are "important" problems I think problem lies in the security scanning tooling. At the moment it is easy to upgrade deps but in long run this CVE world is getting out of hand as it does only surface level scanning/checking of deps and does not consider at all if vulnerable code is included/used/executed or not, causing ripples up in the dependency graph. |
|
@aldas Yep, I fully agree! Those are just vendored test files of the upstream project, but some security scanners are still flagging them as an issue. I know it is false positive, but hate having this come up every once in a while. Can't wait for the next release to finally silence the scanners. |
Bump: * golang.org/x/net v0.12.0 -> v0.15.0 * golang.org/x/crypto v0.11.0 -> v0.13.0 * github.com/stretchr/testify v1.8.1 -> v1.8.4 go mod tidy
stefanb
force-pushed
the
bump-dependancies
branch
from
7a640f5 to
f753eca
Compare
|
Rebasing after #2527 left only github.com/stretchr/testify v1.8.1 -> v1.8.4 (diff stretchr/testify@v1.8.1...v1.8.4) |
2 participants
Bump:
golang.org/x/net v0.12.0 -> v0.15.0 (diff golang/net@v0.12.0...v0.15.0)(obsolete since Prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527)golang.org/x/crypto v0.11.0 -> v0.13.0 (diff golang/net@v0.11.0...v0.13.0)(obsolete since Prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527)The main motivation is
golang.org/x/netwhich got cleaned up recently in v0.15.0 via golang/net@4a2d37e removing the reference to ancientubuntu:trusty, which has currently 559 known vulnerabilities, 4 of which are critical, triggering various false positive alerts...