Bump github.com/go-task/slim-sprig #1167
Conversation
There is a known vulnerability in version of gopkg.in/yaml.v2 prior to v2.2.4 [1]. Currently this vulnerability is indirectly referenced as follows: Ginkgo requires github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 requires github.com/stretchr/testify v1.5.1 github.com/stretchr/testify v1.5.1 requires gopkg.in/yaml.v2 v2.2.2 This commit bumps slim-sprig to the most recent commit, in which github.com/stretchr/testify v1.6.1 is used and does not include the vulnerability [1] https://pkg.go.dev/vuln/GO-2022-0956 Signed-off-by: Salvatore Daniele <sdaniele@redhat.com>
|
Can we get this merged asap? It's blocking some of our work. |
|
Beat me to it @onsi... @bn222 @SalDaniele did you need a new release cutting too? |
|
It would help keep things cleaner if possible, no worries if not |
|
ha! - thanks @blgm ! I'll take this opportunity to gently mention that Ginkgo/Gomega do not have a CLA around providing security patches in a timely manner. If your organization has a business-critical dependence on Ginkgo/Gomega please consider asking your management to sponsor the project. I'll cut a new gomega release now too. |
|
btw @blgm i've now scripted the release process (at least on my machine - i have a nice little |
|
Great, thanks for the quick response |
There is a known vulnerability in version of gopkg.in/yaml.v2 prior to v2.2.4 [1]. Currently this vulnerability is indirectly referenced as follows:
Ginkgo requires github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 requires github.com/stretchr/testify v1.5.1
github.com/stretchr/testify v1.5.1 requires gopkg.in/yaml.v2 v2.2.2
This commit bumps slim-sprig to the most recent commit, in which github.com/stretchr/testify v1.6.1 is used and does not include the vulnerability
[1] https://pkg.go.dev/vuln/GO-2022-0956