labstack/gommon

CVE: update testify/yaml dependencies

Closed this issue · 1 comments

gommon v0.3.0 uses github.com/stretchr/testify@v1.4.0 which in turns uses gopkg.in/yaml.v2@v2.2.2 which suffers a severe CVE long fixed since there is at least a v2.2.8 and even v2.4.0.

By simply, upgrading the yaml dependency, this would avoid having the CVE reported by security scanning tools (lke sonatype).

Simply upgrade depency for github.com/stretchr/testify from v1.40 to v1.7.0 which in turns uses gopkg.in/yaml.v3 then publish a v0.4.0/v.0.3.1 which will be usable by echo project