-
-
Notifications
You must be signed in to change notification settings - Fork 499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project depends on vulnerable dependencies #326
Comments
Linking dgrijalva/jwt-go#463 |
From a dependency point of view. The transitive dependency of this project is insane though Command used to generate the dependency graph go mod graph | modgraphviz | dot -Tsvg -o graph.svg
open graph.svg |
Hello Thank you for your help analyzing our dependencies. Personally, I don't even know why we depend on k8s just yet and it will be nice to figure out how to decrease the code we depend on |
Regarding k8s vulnerabilities these dependencies seem to be indirectly inherited from hcsshim@v0.8.16 via containerd dependency. It might help to trial hcsshim@v0.8.20. I am currently using the following go.mod directives which make things looking greener for me.
Update: Even greenrt with the following directives. dgrijalva/jwt-go has been retired and should be replaced with golang-jwt/jwt.
Btw, I don't think using "replace" is the way to go in general for you as a package maintainer. |
Hi @kishaningithub I'm trying to understand why so many dependencies are used, and why there are 5 vulnerabilities at this moment. Will add anything I find for my investigation here will. Thanks!! Steps to install the dependencies on Mac:
Run with:
Generated file: graph.svg.zip |
@kishaningithub I submitted a partial fix, but I think we seem coupled to containerd, which is the one bringing those three vulnerabilities 🤷 |
Closing, as #527 was already merged, thanks for the report |
Describe the bug
Project depends depends on a vulnerable dependencies.
To Reproduce
From the project rootm run the following command
Expected behavior
From a security point of view, the project should not have dependencies which are vulnerable.
Vulnerable deps
Actual behavior
Below is the output from the command mentioned in the "To Reproduce" section
The text was updated successfully, but these errors were encountered: