New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to newer go-git #254

Open

divVerent opened this issue Feb 8, 2024 · 1 comment

divVerent commented Feb 8, 2024 •

edited

Loading

Projects using go-licenses as build dependency now always get a security warning:

https://github.com/divVerent/aaaaxy/security/dependabot/7

It appears to be a real RCE that also is exploitable through its use by go-licenses.

This can be fixed only by this module upgrading from gopkg.in/src-d/go-git.v4 to github.com/go-git/go-git/v5.

Can you do that?

Author

divVerent commented Feb 8, 2024

This actually seems to already be fixed by 9a41918 - so all that's required is a new release of go-licenses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment