Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Iris' strict handler #1

Merged
merged 1 commit into from
Aug 28, 2023
Merged

Add support for Iris' strict handler #1

merged 1 commit into from
Aug 28, 2023

Conversation

jamietanna
Copy link
Member

No description provided.

@jamietanna jamietanna merged commit 2b4757a into main Aug 28, 2023
8 checks passed
@jamietanna jamietanna deleted the feature/iris branch August 28, 2023 19:52
@jamietanna jamietanna added the enhancement New feature or request label Nov 6, 2023
jamietanna pushed a commit that referenced this pull request Jan 3, 2024
@NuVivo314
Update transitive markdown parser dependency (#12)
5b79714 
Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to validate [the
CVE] it notes that:

```
Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2074
    Parser out-of-bounds read vulnerability caused by a malformed markdown input
  More info: https://pkg.go.dev/vuln/GO-2023-2074
  Module: github.com/gomarkdown/markdown
    Found in: github.com/gomarkdown/[email protected]
    Fixed in: github.com/gomarkdown/[email protected]

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.
```

This means that for most users of this package, they are unaffected, but
to make sure that we keep this package CVE free, we can update the
transitive dependency.

We cannot update Iris, which pulls in this dependency, due to it now
requiring Go 1.21, and we do not want to require Go 1.21 for consumers.

Co-authored-by: Paul Imbert <[email protected]>
Co-authored-by: Jamie Tanna <[email protected]>

[the CVE]: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-5916451
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jamietanna