github.com/satori/uuid has security issues

[cbndr]

Describe the Bug
Current golang-migrate version uses the package github.com/satori/uuid, which has security issues and seems to be no longer maintained. There is a drop-in replacement github.com/gofrs/uuid by a team who forked satori/uuid, removed the issues and maintains the lib.

Steps to Reproduce
Check module dependencies.

Expected Behavior
Use github.com/gofrs/uuid (satori/uuid compatible interface) or google/uuid.

Migrate Version
v4.7.0

Go Version
go version go1.13 linux/amd64

[dhui]

Migrate doesn't have a direct dependency on github.com/satori/uuid
If you can identify the indirect dependency chain (go mod why and go mod why -m don't work for some reason...), I'd be happy update accordingly

[cbndr]

Right, go mod why also doesn't work for me. If I do go mod graph | grep uuid, I get github.com/golang-migrate/migrate/v4@v4.7.0 github.com/satori/go.uuid@v1.2.0. Will try to find out where it comes from.

[thesoulless]

It's actually a Cockroachdb's dependancy:

# github.com/satori/go.uuid
github.com/golang-migrate/migrate/v4/database/cockroachdb
github.com/cockroachdb/cockroach-go/crdb
github.com/jackc/pgx
github.com/jackc/pgx.test
github.com/satori/go.uuid

So we can close this issue and open one on their repo.

[dhui]

Thanks @thesoulless for the pointer! Looks like go mod why works better in Go 1.14

The issue is already fixed in cockroachdb I updated the driver