Bump golang.org/x/oauth2 from 0.0.0-20200107190931-bf48bf16ab8d to 0.27.0 #22
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,19 @@ require ( | |
| github.com/sabhiram/go-gitignore v0.0.0-20180611051255-d3107576ba94 | ||
| github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0 | ||
| github.com/stretchr/testify v1.5.1 | ||
| golang.org/x/oauth2 v0.27.0 | ||
| ) | ||
|
|
||
| require ( | ||
| github.com/davecgh/go-spew v1.1.1 // indirect | ||
| github.com/google/go-querystring v1.0.0 // indirect | ||
| github.com/pmezard/go-difflib v1.0.0 // indirect | ||
| github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f // indirect | ||
| golang.org/x/mod v0.3.0 // indirect | ||
| golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2 // indirect | ||
|
There was a problem hiding this comment. High severity vulnerability introduced by a package you're using: ℹ️ Why this mattersAffected versions of golang.org/x/net are vulnerable to Uncontrolled Resource Consumption. The HTTP/2 vulnerability occurs when a malicious client rapidly creates and resets requests, causing excessive server resource consumption. Despite the MaxConcurrentStreams setting limiting the total requests, resetting an ongoing request enables the attacker to initiate a new request concurrently. To resolve this comment: 💬 Ignore this findingTo ignore this, reply with:
Questions about this issue? Reach out to Product Security in #prodsec-tools. You can view more details on this finding in the Semgrep AppSec Platform here. |
||
| golang.org/x/tools v0.0.0-20200527183253-8e7acdbce89d // indirect | ||
| golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect | ||
| gopkg.in/yaml.v2 v2.3.0 // indirect | ||
| ) | ||
|
|
||
| go 1.23.0 | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
High severity vulnerability may affect your project—review required:
Line 19 lists a dependency (golang.org/x/net) with a known High severity vulnerability.
ℹ️ Why this matters
golang.org/x/net versions before 0.7.0 are vulnerable to Uncontrolled Resource Consumption caused by the HPACK decoder. A malformed HTTP/2 Stream could be sufficient to cause a denial of service from a small number of small requests.
References: GHSA, CVE
To resolve this comment:
Check if you host a user-facing application utilizing net with the HPACK decoder.
/fp we don't use this [condition]💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsQuestions about this issue? Reach out to Product Security in #prodsec-tools.
You can view more details on this finding in the Semgrep AppSec Platform here.