Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gopkg.in/yaml.v2:v2.4.0 is End Of Life support, Can we use v3? #1579

Open
ijajmulani opened this issue Aug 14, 2024 · 5 comments
Open

gopkg.in/yaml.v2:v2.4.0 is End Of Life support, Can we use v3? #1579

ijajmulani opened this issue Aug 14, 2024 · 5 comments
Labels
dependencies Pull requests that update a dependency file question

Comments

@ijajmulani
Copy link

I can see gopkg.in/yaml.v2 is being used. Our BlackDuck scan shows gopkg.in/yaml.v2 version is EOLed. Hence can we update this component to latest v3 version.

@bwplotka
Copy link
Member

Interesting. We don't use yaml. We will have to check in the transient dependency who uses it. At least Prometheus common has this. Can you add same issue on https://github.com/prometheus/common?

Thanks!

@bwplotka bwplotka added question dependencies Pull requests that update a dependency file labels Aug 20, 2024
@trend-shihyi-wu
Copy link

Hello, due to the current inclusion of gopkg.in/[email protected], a vulnerability CVE-2022-28948 has been detected. As per compliance requirements, it is necessary to address this issue within the given deadline. I would like to inquire if there are any plans to upgrade to gopkg.in/yaml.v3 v3.0.1 in order to resolve this matter. Thank you for your attention.

@bwplotka
Copy link
Member

This project does not use anything related to YAML, it does not use this module, so it's not vulnerable.

Plus the vulnerability you mention is for v3 version only, not for v2 (see e.g. Teamwork/kommentaar#91 (comment))

@ijajmulani
Copy link
Author

Hi @bwplotka
Looks as a sub dependency it yaml v2 is getting used. https://github.com/prometheus/client_golang/blob/main/go.mod#L29

vulnerability is for v2 version not for v3.

@bwplotka
Copy link
Member

bwplotka commented Oct 10, 2024

The fact it's in go.mod especially in indirect part, does not mean this code or the code we depend on actively use it. This likely comes from prometheus/common module and we don't use its types that additionally support some yaml encoding.

I still suspect the vuln is for v3 only. Can you show me the vuln part of v2 code?

Nevertheless we could check how to kill yaml indirect dep or move to v3, but it's not urgent IMO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file question
Projects
None yet
Development

No branches or pull requests

3 participants