Reputation: 2527
How do I update golang standard library in my go application?
I have an application that was built with go 1.16.4, which uses (imports) the archive/zip component of the Go std lib. I took a look at the golang Release Notes and see that a security vulnerability has been fixed in archive/zip in golang 1.16.5. How do I ensure that my application is no longer vulnerable? Must I upgrade my version of go itself, and then rebuild with that new version of go? Or could I vendor the newer version of the fixed component then rebuild? Must the files in the build machine's $GOROOT be updated?
Upvotes: 1
Views: 3255
Answers (1)
Reputation: 85481
Must I upgrade my version of
goitself, and then rebuild with that new version ofgo?
Yes...
- Upgrade Go.
- Rebuild.
Or could I vendor the newer version of the fixed component then rebuild?
No, you can't vendor the Go standard library.
Must the files in the build machine's
$GOROOTbe updated?
GOROOT is the root folder of the Go SDK installation. It is updated when you upgrade Go on the machine (or container) that invokes go build/go install.
Upvotes: 1
Related Questions
- Golang update vendor dependencies every deploy
- Running go mod vendor updates my libraries
- golang vendor path cannot find package
- How to resolve packages dependencies in Go?
- Install go package with dependencies
- How make go import packages from vendor?
- Vendoring Golang Shared Repository
- Issues with goLang dependencies
- How do I fix the error message "use of an internal package not allowed" when go getting a golang package?
- using libraries in Golang