Context

Dependabot is a feature of GitHub whose main purpose is to assist developers in staying on top of their dependency ecosystem.

Recently, Dependabot made multiple PRs to resolve CVE-2023-48795 in the Go Driver, which would require that we bump golang.org/x/crypto to v0.17.0. However, this version of crypto has taken a dependency on golang.org/x/text@0.14.0 which has a minimum version of Go 1.18. That means that we cannot merge this change into v1 without breaking our support for Go 1.13. For more details see the commit for fixing the CVE golang/crypto@9d2ee97 and the commit to update the Go directives in golang.org/x/test@6c97a16.

Definition of done

Either bump the minimum Go Version to 1.18 OR close the PRs that target v1:

• https://github.com/mongodb/mongo-go-driver/pull/1502
• https://github.com/mongodb/mongo-go-driver/pull/1505
• https://github.com/mongodb/mongo-go-driver/pull/1501

If the latter is chosen, two things need to be done: (1) Document the security vulnerability on the v1 branch, and (2) by default, Dependabot checks for manifest files on the default branch and raises pull requests for version updates against this branch. We should add .github/dependabot.yml that targets master only:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "master"

In either event, we may want to add the config regardless to ensure PRs are opened for both branches going forward:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "master"
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "v1"