[GODRIVER-2233] vulnerability alert for github.com/gobuffalo/packr/v2 dependency Created: 16/Nov/21  Updated: 30/Nov/21  Resolved: 18/Nov/21

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: 1.7.4
Fix Version/s: 1.8.0, 1.7.5

Type: Bug Priority: Blocker - P1
Reporter: Phil Adams Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
is caused by GODRIVER-2234 Remove dependencies added by operatio... Closed
Related
is related to GODRIVER-2234 Remove dependencies added by operatio... Closed
Documentation Changes: Not Needed

 Description   

Users of  the go.mongodb.org/mongo-driver golang package are starting to see Snyk vulnerability alerts due to the github.com/gobuffalo/packr/v2 dependency.

Snyk link: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670

 

Per the Snyk vulnerability, version 2.3.2 of the packr/v2 package appears to be fixed.

Please deliver a new version of the mongo-driver package that avoids this vulnerability.



 Comments   
Comment by Benji Rewis (Inactive) [ 18/Nov/21 ]

We've conveniently just removed the packr dependency as part of GODRIVER-2234, so this vulnerability shouldn't be an issue anymore. That removal will be available as part of the upcoming Go driver version 1.7.5 and 1.8.0.

Comment by Phil Adams [ 17/Nov/21 ]

I've submitted this PR to address this Jira:
https://github.com/mongodb/mongo-go-driver/pull/813

Generated at Thu Feb 08 08:38:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.