Upgrade gopkg.in/yaml to v3

Fixes vulnerability: https://github.com/advisories/GHSA-hp87-p4gw-j4gq YAML v3 deserializes maps as map[string]interface{} so we handle this in MapImportSource now. Signed-off-by: Jesse Szwedko <jesse@szwedko.me>
2022-06-18 11:02:36 -07:00 · 2022-06-18 11:02:36 -07:00 · ee0756044c
commit ee0756044c
parent e576ba4022
5 changed files with 16 additions and 8 deletions
--- a/altsrc/map_input_source.go
+++ b/altsrc/map_input_source.go
@ -32,11 +32,19 @@ func nestedVal(name string, tree map[interface{}]interface{}) (interface{}, bool
 			if !ok {
 				return nil, false
 			}
-			ctype, ok := child.(map[interface{}]interface{})
-			if !ok {
+
+			switch child := child.(type) {
+			case map[string]interface{}:
+				m := make(map[interface{}]interface{}, len(child))
+				for k, v := range child {
+					m[k] = v
+				}
+				node = m
+			case map[interface{}]interface{}:
+				node = child
+			default:
 				return nil, false
 			}
-			node = ctype
 		}
 		if val, ok := node[sections[len(sections)-1]]; ok {
 			return val, true
--- a/altsrc/yaml_file_loader.go
+++ b/altsrc/yaml_file_loader.go
@ -11,7 +11,7 @@ import (

 	"github.com/urfave/cli/v2"

-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 type yamlSourceContext struct {
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.1
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673
 	golang.org/x/text v0.3.7
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 require github.com/russross/blackfriday/v2 v2.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -12,5 +12,5 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e h1:FDhOuMEY4JVRztM/gsbk+IK
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/genflags/cmd/genflags/main.go
+++ b/internal/genflags/cmd/genflags/main.go
@ -15,7 +15,7 @@ import (

 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/internal/genflags"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 const (