You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to validate [the
CVE] it notes that:
```
Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities...
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2023-2074
Parser out-of-bounds read vulnerability caused by a malformed markdown input
More info: https://pkg.go.dev/vuln/GO-2023-2074
Module: github.com/gomarkdown/markdown
Found in: github.com/gomarkdown/markdown@v0.0.0-20230716120725-531d2d74bc12
Fixed in: github.com/gomarkdown/markdown@v0.0.0-20230922105210-14b16010c2ee
No vulnerabilities found.
Share feedback at https://go.dev/s/govulncheck-feedback.
```
This means that for most users of this package, they are unaffected, but
to make sure that we keep this package CVE free, we can update the
transitive dependency.
We cannot update Iris, which pulls in this dependency, due to it now
requiring Go 1.21, and we do not want to require Go 1.21 for consumers.
Co-authored-by: Paul Imbert <9633306-pimbert@users.noreply.gitlab.com>
Co-authored-by: Jamie Tanna <jamie.tanna@elastic.co>
[the CVE]: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-5916451
0 commit comments