英文:
How do I update golang standard library in my go application?
问题
我有一个使用go
1.16.4构建的应用程序,它使用Go标准库的archive/zip
组件(导入)。我查看了golang发布说明,发现在golang 1.16.5中修复了archive/zip
的安全漏洞。我如何确保我的应用程序不再存在漏洞?我必须升级go
本身的版本,然后使用新版本的go
重新构建吗?还是我可以将修复后的组件的新版本放入vendor目录,然后重新构建?构建机器的$GOROOT
目录中的文件必须更新吗?
英文:
I have an application that was built with go
1.16.4, which uses (imports) the archive/zip
component of the Go std lib. I took a look at the golang Release Notes and see that a security vulnerability has been fixed in archive/zip
in golang 1.16.5. How do I ensure that my application is no longer vulnerable? Must I upgrade my version of go
itself, and then rebuild with that new version of go
? Or could I vendor the newer version of the fixed component then rebuild? Must the files in the build machine's $GOROOT
be updated?
答案1
得分: 1
> 我必须升级我的 go
版本,然后使用新版本的 go
重新构建吗?
是的...
- 升级 Go。
- 重新构建。
> 或者我可以将修复的组件的新版本放入 vendor 目录,然后重新构建吗?
不可以,你不能将 Go 标准库放入 vendor 目录。
> 构建机器的 $GOROOT
目录中的文件必须更新吗?
GOROOT 是 Go SDK 安装的根目录。当你在机器(或容器)上升级 Go(调用 go build
/go install
)时,它会被更新。
英文:
> Must I upgrade my version of go
itself, and then rebuild with that new version of go
?
Yes...
- Upgrade Go.
- Rebuild.
> Or could I vendor the newer version of the fixed component then rebuild?
No, you can't vendor the Go standard library.
> Must the files in the build machine's $GOROOT
be updated?
GOROOT is the root folder of the Go SDK installation. It is updated when you upgrade Go on the machine (or container) that invokes go build
/go install
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论