[ https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matthew Topol resolved ARROW-16759. ----------------------------------- Fix Version/s: 9.0.0 Resolution: Fixed Issue resolved by pull request 13322 [https://github.com/apache/arrow/pull/13322] > [Go] > ---- > > Key: ARROW-16759 > URL: https://issues.apache.org/jira/browse/ARROW-16759 > Project: Apache Arrow > Issue Type: Task > Components: Go > Affects Versions: 7.0.0, 8.0.0 > Reporter: Dominic Barnes > Priority: Minor > Labels: pull-request-available > Fix For: 9.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > The packges under github.com/apache/arrow/go currently have a dependency on > github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3 > that has an outstanding security vulnerability. > ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq]) > While testify is only used during tests, this is not distinguished by the go > toolchain and other tools like Snyk which scan the dependency chain for > vulnerabilities. Unfortunately, due to Go's [Minimal version > selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up > requiring us to visit our dependencies to ensure this security vulnerability > is addressed. -- This message was sent by Atlassian Jira (v8.20.7#820007)