gopkg.in/yaml.v2:v2.4.0 is End Of Life support, Can we use v3? #1579
Comments
|
Interesting. We don't use yaml. We will have to check in the transient dependency who uses it. At least Prometheus common has this. Can you add same issue on https://github.com/prometheus/common? Thanks! |
bwplotka
added
question
dependencies
|
Hello, due to the current inclusion of gopkg.in/yaml.v2@v2.4.0, a vulnerability CVE-2022-28948 has been detected. As per compliance requirements, it is necessary to address this issue within the given deadline. I would like to inquire if there are any plans to upgrade to gopkg.in/yaml.v3 v3.0.1 in order to resolve this matter. Thank you for your attention. |
|
This project does not use anything related to YAML, it does not use this module, so it's not vulnerable. Plus the vulnerability you mention is for v3 version only, not for v2 (see e.g. Teamwork/kommentaar#91 (comment)) |
I can see gopkg.in/yaml.v2 is being used. Our BlackDuck scan shows gopkg.in/yaml.v2 version is EOLed. Hence can we update this component to latest v3 version.
The text was updated successfully, but these errors were encountered: