[ https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kouhei Sutou updated ARROW-16759: --------------------------------- Summary: [Go] Update testify to fix securiy vulnerability (was: [Go] update testify to fix securiy vulnerability) > [Go] Update testify to fix securiy vulnerability > ------------------------------------------------ > > Key: ARROW-16759 > URL: https://issues.apache.org/jira/browse/ARROW-16759 > Project: Apache Arrow > Issue Type: Task > Components: Go > Affects Versions: 7.0.0, 8.0.0 > Reporter: Dominic Barnes > Assignee: Dominic Barnes > Priority: Minor > Labels: pull-request-available > Fix For: 9.0.0 > > Time Spent: 3h > Remaining Estimate: 0h > > The packges under github.com/apache/arrow/go currently have a dependency on > github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3 > that has an outstanding security vulnerability. > ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq]) > While testify is only used during tests, this is not distinguished by the go > toolchain and other tools like Snyk which scan the dependency chain for > vulnerabilities. Unfortunately, due to Go's [Minimal version > selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up > requiring us to visit our dependencies to ensure this security vulnerability > is addressed. -- This message was sent by Atlassian Jira (v8.20.10#820010)