chore: Update go dependency to fix CVE-2022-1996 #328
Conversation
Signed-off-by: Christian Kadner <ckadner@us.ibm.com>
|
|
||
| // Update prometheus client to avoid CVE-2022-21698 | ||
| github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.12.1 | ||
|
|
||
| go.uber.org/atomic => github.com/uber-go/atomic v1.9.0 |
There was a problem hiding this comment.
@ckadner presumably this is no longer needed (it was there originally to address an earlier CVE I think)
There was a problem hiding this comment.
Right, obsolete, since the same version is already being pulled as a direct dependency:
https://github.com/kserve/modelmesh-serving/blame/main/go.mod#L23
Being used here:
https://github.com/kserve/modelmesh-serving/blame/main/pkg/mmesh/modelmesh_service.go#L27
$ cat go.mod | grep "atomic\|replace\|require"
require (
go.uber.org/atomic v1.9.0
require (
replace (
go.uber.org/atomic => github.com/uber-go/atomic v1.9.0
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ckadner, njhill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
Motivation
Address a security vulnerability in old version of the
go-restfullibraryModifications
Update go dependency
Result
No longer vulnerable to the "Authorization Bypass Through User-Controlled Key".
Related Issues:
https://github.com/kserve/modelmesh-serving/security/dependabot/4
emicklei/go-restful#489
https://www.cve.org/CVERecord?id=CVE-2022-1996
https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/