The Godeps.json for client-go pins gopkg.in/yaml.v2 to version 53feefa2559fb8dfa8d81baad31be332c97d6c77 . That commit is from 2 years ago, and lacks a lot of bug fixes and new functionality (notably UnmarshalStrict, which is extremely useful for parsing configs out of ConfigMaps).
Please update this package pin to a (much) newer version.
More generally, this is a worrying consequence of using package locks without actively updating them over time. How many CVEs am I vulnerable to because client-go is forcing my code to pull in ancient libraries? Are there any plans to try and address this?
The text was updated successfully, but these errors were encountered:
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
The Godeps.json for client-go pins gopkg.in/yaml.v2 to version 53feefa2559fb8dfa8d81baad31be332c97d6c77 . That commit is from 2 years ago, and lacks a lot of bug fixes and new functionality (notably UnmarshalStrict, which is extremely useful for parsing configs out of ConfigMaps).
Please update this package pin to a (much) newer version.
More generally, this is a worrying consequence of using package locks without actively updating them over time. How many CVEs am I vulnerable to because client-go is forcing my code to pull in ancient libraries? Are there any plans to try and address this?
The text was updated successfully, but these errors were encountered: