x/net: module depends on vulnerable version of x/text@v0.3.0 #40597
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
The
golang.org/x/net@latest
module has a dependency ongolang.org/x/text@v0.3.0
module which has a known vulnerability, CVE-2020-14040. golang.org/x/text tag v0.3.3 resolves the issue.I help maintain a library that has a dependency on on
golang.org/x/net
, and the CVE forgolang.org/x/text@v0.3.0
is getting flagged as a vulnerability for users of the library i help maintain, aws/aws-sdk-go#3457. The best workaround I think I can suggest for users is to add a replace statement in their application'sgo.mod
untilgolang.org/x/net
is updated.What did you expect to see?
The
golang.org/x/net/@latest
module depend ongolang.org/x/text@v0.3.3
.PR golang/net#77 updates the
golang.org/x/net
module, but looks like may not of been accepted due to the May - July code freeze.What did you see instead?
golang.org/x/net@latest
depends ongolang.org/x/text@v0.3.0
The text was updated successfully, but these errors were encountered: