From 66dc24566fadca77782c620826c0831a29c6f286 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 2 Sep 2025 11:39:33 +0100 Subject: [PATCH] versions: Bump gopkg.in/yaml.v3 Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 to remediate CVE-2022-28948 Signed-off-by: stevenhorsman --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- tests/vendor/gopkg.in/yaml.v3/parserc.go | 11 ++++++++++- tests/vendor/modules.txt | 2 +- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index ec0eea2c93..7bcb3457c9 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -23,7 +23,7 @@ require ( github.com/rivo/uniseg v0.2.0 // indirect github.com/russross/blackfriday v1.6.0 // indirect golang.org/x/sys v0.19.0 // indirect - gopkg.in/yaml.v3 v3.0.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) // WARNING: Do NOT use `replace` directives as those break dependabot: diff --git a/tests/go.sum b/tests/go.sum index 2d0f10d12a..db555241ff 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -36,5 +36,5 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/tests/vendor/gopkg.in/yaml.v3/parserc.go b/tests/vendor/gopkg.in/yaml.v3/parserc.go index ac66fccc05..268558a0d6 100644 --- a/tests/vendor/gopkg.in/yaml.v3/parserc.go +++ b/tests/vendor/gopkg.in/yaml.v3/parserc.go @@ -687,6 +687,9 @@ func yaml_parser_parse_node(parser *yaml_parser_t, event *yaml_event_t, block, i func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool { if first { token := peek_token(parser) + if token == nil { + return false + } parser.marks = append(parser.marks, token.start_mark) skip_token(parser) } @@ -786,7 +789,7 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) { } token := peek_token(parser) - if token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN { + if token == nil || token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN { return } @@ -813,6 +816,9 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) { func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool { if first { token := peek_token(parser) + if token == nil { + return false + } parser.marks = append(parser.marks, token.start_mark) skip_token(parser) } @@ -922,6 +928,9 @@ func yaml_parser_parse_block_mapping_value(parser *yaml_parser_t, event *yaml_ev func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool { if first { token := peek_token(parser) + if token == nil { + return false + } parser.marks = append(parser.marks, token.start_mark) skip_token(parser) } diff --git a/tests/vendor/modules.txt b/tests/vendor/modules.txt index 11d0652b36..e0d6e2726c 100644 --- a/tests/vendor/modules.txt +++ b/tests/vendor/modules.txt @@ -38,6 +38,6 @@ golang.org/x/sys/windows # gopkg.in/yaml.v2 v2.4.0 ## explicit; go 1.15 gopkg.in/yaml.v2 -# gopkg.in/yaml.v3 v3.0.0 +# gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3