I just became aware of a security problem in the package https://github.com/satori/go.uuid <https://github.com/satori> through this reddit thread : https://www.reddit.com/r/golang/comments/n6bnsh/cve20213538_issued_for_latest_release_of/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
The issue for the security problem is here: https://github.com/satori/go.uuid/issues/73 <https://github.com/satori/go.uuid/issues/73#issuecomment-833337384> There is a CVE identifier for this security problem: https://github.com/satori/go.uuid/issues/115 It is 3 years old and hasn't been resolved. The problem is that the owner of the package has apparently vanished. I report this problem here because this package is used by more than 20 thousand go packages or programs (e.g. gogs). ( https://pkg.go.dev/github.com/satori/go.uuid?tab=importedby) Now that we have this fantastic functionality of modules, I would like to know if we could imagine that the go tools would issue a warning if an imported package has a security issue reported in CVE. I have seen that there is a github tool to do that, but we don't get these notifications by default. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/9c18eecc-126d-4614-872d-474ebe90513cn%40googlegroups.com.
