upgrade go dependencies to fix indirectly imported CVE

[cboitel]

While reviewing dependencies on one of our project, i found the following

1. Extract from go mod graph:

github.com/hashicorp/[email protected] github.com/miekg/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/bketelsen/[email protected] github.com/hashicorp/consul/[email protected]

2. github.com/miekg/[email protected] suffers a CVE which is fixed in later versions which are now imported in latest version of github.com/hashicorp/consul/api (v1.14.0)

Upgrading to latest official version of dependencies would fix the issues. I will report to other projects using this module as dependency so they can track the upgrade once it is available here.

[bketelsen]

v0.0.5 released @cboitel @umarcor

[umarcor]

Thanks @bketelsen!

Unfortunately, this issue seems to remain:

# go mod graph | $GOPATH/bin/gomodtree github.com/miekg/[email protected]
github.com/miekg/[email protected]
|   github.com/hashicorp/[email protected]
|   |   github.com/hashicorp/[email protected]
|   |   |   github.com/hashicorp/consul/[email protected]
|   |   |   |   github.com/bketelsen/crypt

Which results in:

• https://github.com/bketelsen/crypt/blob/master/go.sum#L242
• https://github.com/bketelsen/crypt/blob/v0.0.5/go.sum#L242

The issue was fixed in hashicorp's repos already:

• github.com/hashicorp/mdns in Feb 2020: Bump miekg/dns hashicorp/mdns#77.
• github.com/hashicorp/serf in Oct 2021: hashicorp/serf@8649877. v0.9.6 was tagged 9 days ago: https://github.com/hashicorp/serf/tree/v0.9.6.
• github.com/hashicorp/consul 9 days ago: partitions: various refactors to support partitioning the serf LAN pool hashicorp/consul#11568 (although not explicitly explained). v1.11.0-beta3 was tagged 4 days ago: https://github.com/hashicorp/consul/releases/tag/v1.11.0-beta3.

Therefore, bumping to v1.11.0-beta3 should fix the issue. However:

# go get github.com/hashicorp/consul/[email protected]
go: downloading github.com/hashicorp/consul v1.11.0-beta3
go get: module github.com/hashicorp/[email protected] found, but does not contain package github.com/hashicorp/consul/api

Do we need to wait until v1.11.0 is tagged in hashicorp/consul?

/cc @rboyer

[umarcor]

According to https://pkg.go.dev/github.com/hashicorp/consul/api?tab=versions, v1.11.0 of github.com/hashicorp/consul/api was released on Sep 2021. So, we don't need to look at the regular tags in github.com/hashicorp/consul. Instead: https://github.com/hashicorp/consul/blob/api/v1.11.0/api/go.mod.

@rboyer maybe you can create tag api/v1.11.1?