CVE-2020-16845 still occurs on dependant products
mishas opened this issue · 3 comments
Hello @naveensrinivasan and @fergusstrange ,
I just updated embedded-postgres to v1.11.0, and I still get the github.com/ulikunitz/xz@v0.5.6
dependency in my go.sum (after go mod tidy
).
I think the reason for this is, that in #42 , you've used a replace
directive, that only does something local, instead of a require
(// indirect
) directive that would affect projects depending on yours.
From https://golang.org/ref/mod#go-mod-file-replace:
replace directives only apply in the main module’s go.mod file and are ignored in other modules. See Minimal version selection for details.
I think the following fix will do the trick:
- replace github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
+ require github.com/ulikunitz/xz v0.5.10 // indirect
(Please also note, that there's no reason to use v0.5.8 when v0.5.10 is available)
Ah good spot, this one slipped me by. I'll take a look at getting that PR in over this weekend.
Thank you very much!
Appreciate it!