CVE-2020-16845 still occurs on dependant products

Question

CVE-2020-16845 still occurs on dependant products

mishas opened this issue 3 years ago · 3 comments

Hello @naveensrinivasan and @fergusstrange ,

I just updated embedded-postgres to v1.11.0, and I still get the github.com/ulikunitz/xz@v0.5.6 dependency in my go.sum (after go mod tidy).

I think the reason for this is, that in #42 , you've used a replace directive, that only does something local, instead of a require (// indirect) directive that would affect projects depending on yours.
From https://golang.org/ref/mod#go-mod-file-replace:

replace directives only apply in the main module’s go.mod file and are ignored in other modules. See Minimal version selection for details.

I think the following fix will do the trick:

- replace github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
+ require github.com/ulikunitz/xz v0.5.10 // indirect

(Please also note, that there's no reason to use v0.5.8 when v0.5.10 is available)

Answer 1 · 2021-10-09T02:13:15.000Z

Ah good spot, this one slipped me by. I'll take a look at getting that PR in over this weekend.

Answer 2 · 2021-11-23T04:47:27.000Z

Hey @mishas this is now merged in and appears to be working well on a number of my own projects. I have released at v1.11.0 if you wanted to give it a try!

Thanks for all the feedback and patience, this was probably the longest running PR we've had!

Answer 3 · 2021-11-23T05:10:37.000Z

Thank you very much!
Appreciate it!