Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Commit b29fcfb

Browse files
keegancsmithBolajiOlajide
keegancsmith
authored and
BolajiOlajide
committed
gomod: use graphql-go fork to fix CVE-2022-37315 (#46621)
I found this when scanning sourcegraph/gitserver:4.4.0-rc.1. This is the same fork and commit used by the kubeops project. kubeops/ui-server@59bb7a6 Snyk report is at https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRAPHQLGOGRAPHQLLANGUAGEPARSER-2964941 and the upstream issue is at graphql-go/graphql#637 Test Plan: CI
1 parent 57c8377 commit b29fcfb

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

go.mod

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -480,6 +480,8 @@ replace (
480480
github.com/ghodss/yaml => github.com/sourcegraph/yaml v1.0.1-0.20200714132230-56936252f152
481481
// Pending: Renamed to github.com/google/gnostic. Transitive deps still use the old name (kubernetes/kubernetes).
482482
github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.5.5
483+
// Pending upstream fixing CVE-2022-37315 https://github.com/graphql-go/graphql/issues/637
484+
github.com/graphql-go/graphql => github.com/jamesdphillips/graphql-go v0.7.4-0.20220810211622-efd2a06de890
483485
// Pending a release cut of https://github.com/prometheus/alertmanager/pull/3010
484486
github.com/prometheus/common => github.com/prometheus/common v0.32.1
485487
// Pending: https://github.com/shurcooL/httpgzip/pull/9

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1268,8 +1268,6 @@ github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db h1:7aN5cccjIqCLTzed
12681268
github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A=
12691269
github.com/graph-gophers/graphql-go v1.3.0 h1:Eb9x/q6MFpCLz7jBCiP/WTxjSDrYLR1QY41SORZyNJ0=
12701270
github.com/graph-gophers/graphql-go v1.3.0/go.mod h1:9CQHMSxwO4MprSdzoIEobiHpoLtHm77vfxsvsIN5Vuc=
1271-
github.com/graphql-go/graphql v0.8.0 h1:JHRQMeQjofwqVvGwYnr8JnPTY0AxgVy1HpHSGPLdH0I=
1272-
github.com/graphql-go/graphql v0.8.0/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
12731271
github.com/gregjones/httpcache v0.0.0-20170920190843-316c5e0ff04e/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
12741272
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
12751273
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
@@ -1440,6 +1438,8 @@ github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0f
14401438
github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
14411439
github.com/jackc/puddle v1.2.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
14421440
github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea/go.mod h1:QMdK4dGB3YhEW2BmA1wgGpPYI3HZy/5gD705PXKUVSg=
1441+
github.com/jamesdphillips/graphql-go v0.7.4-0.20220810211622-efd2a06de890 h1:v97ti/6TlQgWGie/nGuO6GrDabur7Basxomhlp/vzW4=
1442+
github.com/jamesdphillips/graphql-go v0.7.4-0.20220810211622-efd2a06de890/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
14431443
github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
14441444
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
14451445
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=

0 commit comments

Comments
 (0)