current dep google.golang.org/protobuf@v1.25.0 requires too many dependencies, one of intransitive deps is vulnerable

Question

current dep google.golang.org/protobuf@v1.25.0 requires too many dependencies, one of intransitive deps is vulnerable

owlwalks opened this issue 3 years ago · 1 comments

Describe what happened:
current dep google.golang.org/protobuf@v1.25.0 requires too many dependencies, one of intransitive deps is vulnerable

github.com/DataDog/sketches-go@v1.0.0
↑
google.golang.org/protobuf@v1.25.0
↑
google.golang.org/genproto@v0.0.0-20200526211855-cb27e3aa2013
↑
google.golang.org/grpc@v1.27.0
↑
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55
↑
google.golang.org/grpc@v1.19.0
↑
golang.org/x/text@v0.3.0

CVE-2020-14040 is affecting golang.org/x/text@v0.3.0

Describe what you expected:
update google.golang.org/protobuf to 1.26.0

Steps to reproduce the issue:
go mod graph

Answer 1 · 2021-08-11T08:00:12.000Z

Thanks @owlwalks for reporting this. #51 updates google.golang.org/protobuf to 1.27.1. You can now use v1.2.0.