chore: bump github.com/goccy/go-yaml to v1.18.0 to fix crypto vulnerabilities #199
Conversation
|
helo @inhere |
ivanbron
force-pushed
the
fix-go-yml-vulnerability-dependency
branch
from
a05094e to
d2bb515
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR updates the github.com/goccy/go-yaml dependency from v1.12.0 to v1.18.0 to address security vulnerabilities in transitive crypto dependencies. The update also modernizes the Go version requirements and removes obsolete dependencies.
- Updated go-yaml dependency from v1.12.0 to v1.18.0 for security fixes
- Bumped Go version requirement from 1.19 to 1.21.0 and added toolchain specification
- Cleaned up indirect dependencies that are no longer required
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib? |
Yes, I wanted to upgrade go-yaml when I updated my dependencies the other day, but he needed go1.21+. I don't know what impact will it have on downstream dependencies after upgrading? So it was not upgraded. |
I see. Is there any plan to upgrade old dependencies any time soon? |
2 participants
📌 Description
This PR updates the dependency github.com/goccy/go-yaml from v1.12.0 to v1.18.0.
The previous version (v1.12.0) was pulling in an outdated release of golang.org/x/crypto that contained known security vulnerabilities. Upgrading to v1.18.0 removes those insecure transitive dependencies and ensures the project uses a maintained, patched version.
✅ Benefits
Eliminates vulnerabilities inherited from old golang.org/x/crypto versions
Keeps the project aligned with the latest stable and secure go-yaml release
No breaking API changes expected, as the update stays within the v1.x series
🔍 Notes
Ran go mod tidy to update go.mod and go.sum accordingly
Verified that no regressions or breaking changes are introduced