Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update github.com/gin-gonic/gin #318

Closed
kirill-scherba opened this issue Oct 2, 2021 · 6 comments
Closed

Update github.com/gin-gonic/gin #318

kirill-scherba opened this issue Oct 2, 2021 · 6 comments

Comments

@kirill-scherba
Copy link

Hi!

Could you please update the https://github.com/gin-gonic/gin. Github Dependabot send alerts to projects uses your nhooyr/websocket project because you use the https://github.com/gin-gonic/gin v1.6.3, but they need Patched version: 1.7.0.

See the message:

CVE-2020-28483
high severity
Vulnerable versions: < 1.7.0
Patched version: 1.7.0
This affects all versions of package https://github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

I have use your https://github.com/nhooyr/websocket project in my https://github.com/kirill-scherba/teowebrtc project for make webrtc signaling client/server and this Github Dependabot alert is placed in my project page now :-)

I think you need just execute go get -u and publish new tag!

Thanks.
Best regards,
Kirill Scherba.

@kirill-scherba
Copy link
Author

P.S. There is PR which fix this issue: #310

kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
Bump github.com/gin-gonic/gin from 1.6.3 to 1.7.0
fixes coder#318
kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
@oderwat
Copy link

oderwat commented Nov 16, 2021

I actuallly wonder how this is "single dependency" with all the other modules needed :)

sailormoon pushed a commit to sailormoon/websocket that referenced this issue Dec 11, 2021
sailormoon pushed a commit to sailormoon/websocket that referenced this issue Dec 11, 2021
@prochac
Copy link

prochac commented Feb 4, 2023

I'm also for the dependency removal, then struggle with its upgrades.
It bothers both gin users or no.
AFAIK it's used only for integration test.


The same is about github.com/gobwas/ws and github.com/gorilla/websocket that are listed as dependency while they not.

@nhooyr
Copy link
Contributor

nhooyr commented Feb 25, 2023

All dependencies other than klauspost/compress are for tests alone. And dev has no dependencies whatsoever though I don't suggest running it in production yet.

@nhooyr
Copy link
Contributor

nhooyr commented Mar 5, 2023

I'll remove gin soon and move the third party tests into a different module so they don't show up and cause all this confusion.

@nhooyr
Copy link
Contributor

nhooyr commented Mar 6, 2023

Closing in favour of #297

@nhooyr nhooyr closed this as completed Mar 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants