Security: Switch/upgrade github.com/satori/go.uuid to github.com/gofrs/uuid #3742
Comments
cyriltovena
added a commit
to cyriltovena/loki
that referenced
this issue
May 18, 2021
Fixes grafana#3742 Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
cyriltovena
added a commit
that referenced
this issue
May 20, 2021
* Replace satori.uuid with gofrs/uuid Fixes #3742 Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com> * Fix new import. Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Grafana backend is dependent on loki Go module and by that gets the github.com/satori/go.uuid dependency. github.com/satori/go.uuid is deprecated according to satori/go.uuid#84 and it's suggested to use github.com/gofrs/uuid instead which is properly maintained. github.com/gofrs/uuid should also have fixed the WS-2018-0594 vulnerability.
Looking at go.mod it seems loki has looked the version to 1.2.0:
loki/go.mod
Lines 93 to 94 in 89bdc9c
However, there's no higher versions available of github.com/satori/go.uuid. Only with github.com/gofrs/uuid. And looking at prometheus/alertmanager they currently uses the latter, see https://github.com/prometheus/alertmanager/blob/7301451eb94d2081fb740abf29755861dd122c65/go.mod#L15
Is there something that can be done here or are you blocked by other dependencies?
The text was updated successfully, but these errors were encountered: