[GODRIVER-2233] vulnerability alert for github.com/gobuffalo/packr/v2 dependency Created: 16/Nov/21 Updated: 30/Nov/21 Resolved: 18/Nov/21 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | None |
| Affects Version/s: | 1.7.4 |
| Fix Version/s: | 1.8.0, 1.7.5 |
| Type: | Bug | Priority: | Blocker - P1 |
| Reporter: | Phil Adams | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Documentation Changes: | Not Needed | ||||||||||||||||
| Description |
|
Users of the go.mongodb.org/mongo-driver golang package are starting to see Snyk vulnerability alerts due to the github.com/gobuffalo/packr/v2 dependency. Snyk link: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOBUFFALOPACKRV2-1920670
Per the Snyk vulnerability, version 2.3.2 of the packr/v2 package appears to be fixed. Please deliver a new version of the mongo-driver package that avoids this vulnerability. |
| Comments |
| Comment by Benji Rewis (Inactive) [ 18/Nov/21 ] |
|
We've conveniently just removed the packr dependency as part of |
| Comment by Phil Adams [ 17/Nov/21 ] |
|
I've submitted this PR to address this Jira: |