You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that kit/transport/grpc is vulnerable to the attack outlined in CVE-2022-41717 due to the package dependency on the Go gRPC implementation. Can go-kit be updated to leverage fixes for this vulnerability? It is fixed in Go minor releases 1.18.9 and 1.19.4.
The text was updated successfully, but these errors were encountered:
Go kit expresses a dependency on the module google.golang.org/grpc at version v1.40.0. The latest version of that module is currently v1.51.0. These two versions share a major version number, and so Go modules treats them as compatible during version resolution, and applications that (correctly) assert that later version will receive it.
Happy to review and approve a PR that bumps the grpc module version as suggested, assuming tests pass and etc. But that's a nice-to-have, if it doesn't happen it's not any kind of vulnerability. See e.g. #1250.
What would you like?
It appears that kit/transport/grpc is vulnerable to the attack outlined in CVE-2022-41717 due to the package dependency on the Go gRPC implementation. Can go-kit be updated to leverage fixes for this vulnerability? It is fixed in Go minor releases 1.18.9 and 1.19.4.
The text was updated successfully, but these errors were encountered: