Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/text v0.3.8 #285

Closed
serejja opened this issue Nov 1, 2022 · 1 comment · Fixed by #286
Closed

Upgrade golang.org/x/text v0.3.8 #285

serejja opened this issue Nov 1, 2022 · 1 comment · Fixed by #286

Comments

@serejja
Copy link

serejja commented Nov 1, 2022

Current version of go-i18n uses golang.org/x/text v0.3.7, which has a vulnerability (https://pkg.go.dev/vuln/GO-2022-1059):

Running govulncheck with the code that uses go-i18n results in a similar output:

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-20[22](...)-1059
  An attacker may cause a denial of service by crafting an
  Accept-Language header which ParseAcceptLanguage will take
  significant time to parse.

  Call stacks in your code:
Error:       ...go:68:49: blabla.Get calls github.com/nicksnyder/go-i18n/v2/i18n.NewLocalizer, which eventually calls golang.org/x/text/language.ParseAcceptLanguage

  Found in: golang.org/x/text/language@v0.3.7
  Fixed in: golang.org/x/text/language@v0.3.8
  More info: https://pkg.go.dev/vuln/GO-2022-1059
@serejja
Copy link
Author

serejja commented Nov 1, 2022

Also maybe makes sense to upgrade to latest available version, which is v0.4.0 as of today

@nicksnyder nicksnyder mentioned this issue Nov 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update to golang.org/x/text v0.4.0 nicksnyder/go-i18n
1 participant
@serejja