Security Vulnerability CVE-2022-28948 (Medium) detected in github.com/go-yaml/yaml-v2.4.0

[Sher-Chowdhury]

This relates to:

kin-openapi/go.mod

Line 10 in 221a292

gopkg.in/yaml.v2 v2.3.0

As per https://www.mend.io/vulnerability-database/CVE-2022-28948, would it be possible to upgrade this yaml package to v3.0.0?

[fenollp]

Hi there, I'm working on upgrading to v3 however note that this CVE incorrectly relates to v3 when it should be about v2. See here: go-yaml/yaml#666 (comment)

[fenollp]

I've also created go-openapi/swag#63 as today this is our only dependency to v2:

λ go mod why gopkg.in/yaml.v2
# gopkg.in/yaml.v2
github.com/getkin/kin-openapi/openapi3
github.com/go-openapi/jsonpointer
github.com/go-openapi/swag
gopkg.in/yaml.v2