Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update github.com/gin-gonic/gin #318

Closed
kirill-scherba opened this issue Oct 2, 2021 · 6 comments
Closed

Update github.com/gin-gonic/gin #318

kirill-scherba opened this issue Oct 2, 2021 · 6 comments

Comments

@kirill-scherba
Copy link

Hi!

Could you please update the https://github.com/gin-gonic/gin. Github Dependabot send alerts to projects uses your nhooyr/websocket project because you use the https://github.com/gin-gonic/gin v1.6.3, but they need Patched version: 1.7.0.

See the message:

CVE-2020-28483
high severity
Vulnerable versions: < 1.7.0
Patched version: 1.7.0
This affects all versions of package https://github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

I have use your https://github.com/nhooyr/websocket project in my https://github.com/kirill-scherba/teowebrtc project for make webrtc signaling client/server and this Github Dependabot alert is placed in my project page now :-)

I think you need just execute go get -u and publish new tag!

Thanks.
Best regards,
Kirill Scherba.
@kirill-scherba
Copy link
Author

P.S. There is PR which fix this issue: #310

kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
@kirill-scherba
Update all modules
b5bc58d 
issue nhooyr#318
This was referenced Oct 2, 2021
Closed
Merged
kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
@kirill-scherba
Merge pull request #1 from kirill-scherba:kirill-scherba/issue318
f71903a 
Bump github.com/gin-gonic/gin from 1.6.3 to 1.7.0
fixes nhooyr#318
kirill-scherba added a commit to kirill-scherba/websocket that referenced this issue Oct 2, 2021
@kirill-scherba
Module name updated
c9f07c5 
issue nhooyr#318
@oderwat
Copy link

oderwat commented Nov 16, 2021

I actuallly wonder how this is "single dependency" with all the other modules needed :)

sailormoon pushed a commit to sailormoon/websocket that referenced this issue Dec 11, 2021
@kirill-scherba @sailormoon
Update all modules
c5420f0 
issue nhooyr#318
sailormoon pushed a commit to sailormoon/websocket that referenced this issue Dec 11, 2021
@kirill-scherba @sailormoon
Module name updated
ff7e705 
issue nhooyr#318
@psanford psanford mentioned this issue Dec 19, 2021
Closed
@Jacalz Jacalz mentioned this issue Mar 5, 2022
Closed
@prochac
Copy link

prochac commented Feb 4, 2023
edited

I'm also for the dependency removal, then struggle with its upgrades.
It bothers both gin users or no.
AFAIK it's used only for integration test.

The same is about github.com/gobwas/ws and github.com/gorilla/websocket that are listed as dependency while they not.

@nhooyr
Copy link
Owner

nhooyr commented Feb 25, 2023

All dependencies other than klauspost/compress are for tests alone. And dev has no dependencies whatsoever though I don't suggest running it in production yet.

@nhooyr
Copy link
Owner

nhooyr commented Mar 5, 2023

I'll remove gin soon and move the third party tests into a different module so they don't show up and cause all this confusion.

@nhooyr nhooyr mentioned this issue Mar 6, 2023
Closed
@nhooyr
Copy link
Owner

nhooyr commented Mar 6, 2023

Closing in favour of #297

@nhooyr nhooyr closed this as completed Mar 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@oderwat @kirill-scherba @nhooyr @prochac