Merged
Conversation
e868dbe to
c4c4dab
Compare
jamietanna
pushed a commit
that referenced
this pull request
Jan 3, 2024
Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to validate [the CVE] it notes that: ``` Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities... === Informational === Found 1 vulnerability in packages that you import, but there are no call stacks leading to the use of this vulnerability. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2023-2074 Parser out-of-bounds read vulnerability caused by a malformed markdown input More info: https://pkg.go.dev/vuln/GO-2023-2074 Module: github.com/gomarkdown/markdown Found in: github.com/gomarkdown/markdown@v0.0.0-20230716120725-531d2d74bc12 Fixed in: github.com/gomarkdown/markdown@v0.0.0-20230922105210-14b16010c2ee No vulnerabilities found. Share feedback at https://go.dev/s/govulncheck-feedback. ``` This means that for most users of this package, they are unaffected, but to make sure that we keep this package CVE free, we can update the transitive dependency. We cannot update Iris, which pulls in this dependency, due to it now requiring Go 1.21, and we do not want to require Go 1.21 for consumers. Co-authored-by: Paul Imbert <9633306-pimbert@users.noreply.gitlab.com> Co-authored-by: Jamie Tanna <jamie.tanna@elastic.co> [the CVE]: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-5916451
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.