Upgrade go version to eliminate CVE-2022-27664 CVE-2022-32149 in dependencies

Question

Upgrade go version to eliminate CVE-2022-27664 CVE-2022-32149 in dependencies

GRbit opened this issue 2 years ago · 0 comments

Description

If you build go dependencies tree using go mod graph tool (and optionally converting it to an image like this go mod graph | modgv | dot -Tsvg -o graph.svg) you will see that there are multiple dependencies on quite old librariries. For example, there are CVE-2022-27664 in net/http package version before Go 1.18.6 and CVE-2022-32149 in golang.org/x/text before 0.3.8.

Checking the graph (or looking in go.sum) you can see, that the current version contains vulnerable dependencies. The only way to fix it that I've found is to update Go version. Otherwise, dependencies preserve no matter what.

I've created PR #175 to fix the issue, but I'm not sure that this is the only way and I don't know how to properly test these changes. Also, it forces users to upgrade their go version, I don't know if it's ok for this package.

So, let's discuss the problem and try to find the best possible way to fix this.