[
https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kouhei Sutou updated ARROW-16759:
---------------------------------
Fix Version/s: 6.0.2
(was: 6.0.3)
> [Go] Update testify to fix securiy vulnerability
> ------------------------------------------------
>
> Key: ARROW-16759
> URL: https://issues.apache.org/jira/browse/ARROW-16759
> Project: Apache Arrow
> Issue Type: Task
> Components: Go
> Affects Versions: 7.0.0, 8.0.0
> Reporter: Dominic Barnes
> Assignee: Dominic Barnes
> Priority: Minor
> Labels: pull-request-available
> Fix For: 9.0.0, 6.0.2
>
> Time Spent: 3.5h
> Remaining Estimate: 0h
>
> The packges under github.com/apache/arrow/go currently have a dependency on
> github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3
> that has an outstanding security vulnerability.
> ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])
> While testify is only used during tests, this is not distinguished by the go
> toolchain and other tools like Snyk which scan the dependency chain for
> vulnerabilities. Unfortunately, due to Go's [Minimal version
> selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up
> requiring us to visit our dependencies to ensure this security vulnerability
> is addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
