labstack/echo v3.3.10 dependency vulnerability about dd-trace-go HOT 5 CLOSED

Hi @Lexdamian, thanks for the suggestion. This removal is planned in our v2 release, still in the works.

Is this causing you any issue that would require us to tackle it before our v2 release?

from dd-trace-go.

Hello! I am fixing vulnerabilities issues that are critical and this one is blocking a bunch of repos on our side. What's the release schedule for v2? I have a PR ready for the above mentioned remediation just in case.

from dd-trace-go.

@Lexdamian Unless you import our contrib for labstack/echo you aren't vulnerable. Please check our SECURITY.md:

If you are using a vulnerability checker other than golang.org/x/vuln/vulncheck you may detect vulnerabilities in our contrib dependencies. In general we like to specify non-vulnerable minimum versions of dependencies when we can do so in a non-breaking way. To avoid breaking users of this library there may be contrib libraries that are deprecated/vulnerable but still appear in our go.mod file. If you are not using these contrib packages you are not vulnerable (i.e. if they do not appear in your go.sum file). At the next major version we will drop support for these packages. (e.g. as of dd-trace-go@v1 labstack/echo v3 is considered deprecated and users should migrate to labstack/echo.v4)

Regarding v2, there isn't a release schedule yet.

from dd-trace-go.

@Lexdamian Can you confirm you are still affected according to vulncheck? As I already stated, unless you import explicitly the labstack/echo contrib, you shouldn't be affected by any vulnerability related to it.

from dd-trace-go.

Closing as we addressed the issue as stated in our security policy. Feel free to open a support ticket if it's still an issue on your side (so, you are importing the contrib).

from dd-trace-go.