Bump gopkg.in/yaml dependencies based on Security Issue (cve-2022-28948)
What does this MR do and why?
This MR bumps the indirect dependency of gopkg.in/yaml.v3 which has a fixed security vulnerability
usr/local/bin/release-cli (gobinary)
====================================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v3 │ CVE-2022-28948 │ HIGH │ fixed │ v3.0.0-20210107192922-496545a6307b │ 3.0.0-20220521103104-8f96da9f5d5e │ crash when attempting to deserialize invalid input │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28948 │
└──────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────────────────────────┴────────────────────────────────────────────────────┘
Checklist
-
I added tests (non changed) -
Green pipeline (except of the license scanning, which is a lifecycle issue ... not changes with this MR) -
Assign to reviewer
Edited by Roman Plessl