[
https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kouhei Sutou reassigned ARROW-16759:
------------------------------------
Assignee: Dominic Barnes
> [Go]
> ----
>
> Key: ARROW-16759
> URL: https://issues.apache.org/jira/browse/ARROW-16759
> Project: Apache Arrow
> Issue Type: Task
> Components: Go
> Affects Versions: 7.0.0, 8.0.0
> Reporter: Dominic Barnes
> Assignee: Dominic Barnes
> Priority: Minor
> Labels: pull-request-available
> Fix For: 9.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> The packges under github.com/apache/arrow/go currently have a dependency on
> github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3
> that has an outstanding security vulnerability.
> ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])
> While testify is only used during tests, this is not distinguished by the go
> toolchain and other tools like Snyk which scan the dependency chain for
> vulnerabilities. Unfortunately, due to Go's [Minimal version
> selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up
> requiring us to visit our dependencies to ensure this security vulnerability
> is addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
