Skip to content

Exclude gin and bluemonday package from dependencies

Igor Drozdov requested to merge id-exclude-vulnerable-packages into master

What does this MR do and why?

  • github.com/gin-gonic/gin < 1.6.0 vulnerable to CVE-2020-28483
  • github.com/microcosm-cc/bluemonday < 1.0.16 to CVE-2021-42576

The vulnerabilities are not exploitable in Workhorse because these packages are nested dependencies and used by nhooyr/websocket and sentry-go/iris that we don't use directly.

Related issues:

Edited by Igor Drozdov

Merge request reports

Loading