-
Notifications
You must be signed in to change notification settings - Fork 862
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate from satori/go.uuid to gofrs/uuid #3158
Comments
@jhendrixMSFT Is there anything we can do about this? I'd really prefer using |
I would too, the issue is it's a pretty big breaking change. We need to coordinate with our large partners and "get the message out" that we'll be making this change. |
Now that I really think about this. Is it possible to just use the Thoughts @jhendrixMSFT ? |
It would be a significant breaking change, more than switching to gofrs/uuid. Also depending on who you ask one could also make the argument it should be a byte array since technically that's what a UUID is (but then parsing, helpers to convert to string, etc now you're back to using a UUID type). |
I understand, but I feel |
Is it though? gofrs/uuid is a fork of satori/go.uuid and is API compatible, so in theory it should simply be a matter of changing imports. |
Closing as we won't be making this change in the track 1 SDK. Note that for track 2 we've decided to leave UUIDs in string format, allowing consumers to use their preferred helper package. |
@jhendrixMSFT at the moment we have a project that is correctly being flagged (internally at MS) due to dependency on the |
After some internal discussion we've decided to make this fix. I scanned the affected packages and it's only ~20% so we feel that the breaking change is low enough impact to be worth it. |
@ArcturusZhang could you please update the code generator to replace |
@jhendrixMSFT @ArcturusZhang Could you please confirm this issue is fixed in V1 SDK and also point out the released version where the fix is? |
The migration was done in v53.0.0: https://github.com/Azure/azure-sdk-for-go/releases/tag/v53.0.0 |
The previously used version included a vulnerable dependency related to satori/go.uuid#115 and Azure/azure-sdk-for-go#3158
The previously used version included a vulnerable dependency related to satori/go.uuid#115 and Azure/azure-sdk-for-go#3158
Bug Report
The version azure-sdk-for-go currently use do have a critical flaw when creating UUID:s. This package doesn't create UUID:s, but since it is a flawed version that is brought in, there is a risk of future bugs or bugs in projects that use azure-sdk-for-go.
Gofrs is a community-driven effort to provide maintainers for valuable projects. They forked satori/go.uuid after it appeared to be no longer maintained while exhibiting critical flaws. The fork will most likely be given more maintainer love than the original one.
I did create a pull request #3139 that was closed due to the usage of
go.uuid
in the code generator.The text was updated successfully, but these errors were encountered: