I've merged the PR to master and want to propose cherry-picking it to create patch releases. Technically, for Go, all we need to do is create the appropriate tags named like "go/v6.0.2", and so on. Since this vulnerability only affects Go we don't necessarily need to release patches for the other language libraries other than for consistency.
So I guess I'd like others to chime in on opinions as to whether we should just cherry-pick and create the tags just for patch releases for Go or do full patch releases of everything for consistency. --Matt On Thu, Jun 9, 2022 at 5:21 PM Dominic Barnes <[email protected]> wrote: > Howdy! > > I'm a first-time contributor, and I just opened a PR to update a dev/test > dependency (github.com/stretchr/testify) to address a security > vulnerability being reported downstream: > > https://github.com/apache/arrow/pull/13322 (more context included here) > > The PR was originally opened against the release-v7.0.0 branch, but I was > then pointed towards using master instead, with the intention of > backporting the commit/change for v6.0.2, v7.0.1 and v8.0.1 releases. > > While not merged yet, it sounded like I should get the ball rolling now. > Let me know how I can help get this across the finish line. > > -- > Dominic Barnes > > he/him/his > Staff Software Engineer > [image: Twilio] <https://www.twilio.com/?utm_source=email_signature> > EMAIL [email protected] > TWITTER @mako281 <https://twitter.com/mako281> > GITHUB dominicbarnes <https://github.com/dominicbarnes> >
