[
https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matthew Topol resolved ARROW-16759.
-----------------------------------
Fix Version/s: 9.0.0
Resolution: Fixed
Issue resolved by pull request 13322
[https://github.com/apache/arrow/pull/13322]
> [Go]
> ----
>
> Key: ARROW-16759
> URL: https://issues.apache.org/jira/browse/ARROW-16759
> Project: Apache Arrow
> Issue Type: Task
> Components: Go
> Affects Versions: 7.0.0, 8.0.0
> Reporter: Dominic Barnes
> Priority: Minor
> Labels: pull-request-available
> Fix For: 9.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The packges under github.com/apache/arrow/go currently have a dependency on
> github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3
> that has an outstanding security vulnerability.
> ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])
> While testify is only used during tests, this is not distinguished by the go
> toolchain and other tools like Snyk which scan the dependency chain for
> vulnerabilities. Unfortunately, due to Go's [Minimal version
> selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up
> requiring us to visit our dependencies to ensure this security vulnerability
> is addressed.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
