Open
Description
Welcome
- Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've included all information below (version, config, etc).
- Yes, I've tried with the standalone linter if available. (https://golangci-lint.run/usage/linters/)
Description of the problem
The file .github/contributors/package-lock.json (which is created by npm) has versions of modules that have known security vulnerabilities.
This is how I found the problem:
- Created a fork of golangci/golangci-lint at https://github.com/CiscoM31/golangci-lint. Make sure the fork is in sync with upstream master.
- Noticed the github banner message: "We found potential security vulnerabilities in your dependencies."
- Clicked "enable dependabot" to see dependabot alerts. In the "Security" tab, a new "Dependabot alerts" item is added: https://github.com/CiscoM31/golangci-lint/security/dependabot.
- "Get notified when one of your dependencies has a vulnerability".
- I've noticed this item is not present in the upstream project "golangci/golangci-lint".
- In the fork "Dependabot alerts" shows 11 security alerts.
Maybe I am missing something, but it looks like the same issues are impacting the main project golangci/golangci-lint. npm is created by .github/contributors/package-lock.json and I'm not sure how golangci/golangci-lint uses these dependencies.
It would be good to setup a security policy to provide information on how to report security vulnerabilities.
Version of golangci-lint
$ golangci-lint --version
# Not applicableConfiguration file
$ cat .golangci.yml
# Not applicableGo environment
$ go version && go env
# Not applicableVerbose output of running
$ golangci-lint cache clean
$ golangci-lint run -v
# Not applicableCode example or link to a public repository
// not applicable