rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

PR #58: uses gopkg.in/yaml.v3 instead of goccy/go-yaml as required by #57 #87

New Issue
Closed
opened 2026-05-12 19:19:36 +00:00 by rodin · 0 comments
rodin commented 2026-05-12 19:19:36 +00:00
Owner
Copy Link
Copy Source

What was missed

Issue #57 explicitly required using github.com/goccy/go-yaml v1.16.0 or later, with a documented security rationale:

Use github.com/goccy/go-yaml v1.16.0 or later.
Why this library:

  • Actively maintained (10 releases in the last year, current v1.19.2)
  • Security issue (AIKIDO-2024-10486, DoS via deep nesting) was fixed promptly in v1.16.0
  • gopkg.in/yaml.v3 is abandoned (no code changes since May 2022)

PR #58 instead added gopkg.in/yaml.v3 (the abandoned library the issue explicitly rejected). The PR implements the YAML depth defense with MaxYAMLDepth/MaxYAMLNodes constants, but uses the wrong underlying library.

Note: gopkg.in/yaml.v3 has its own YAML parsing quirks and lacks active maintenance. The explicit library choice in the issue was not honored.

Source

  • PR: #58 — feat: add YAML support for persona files
  • Linked issue: #57 — Add YAML support for persona files
  • File: go.mod line containing gopkg.in/yaml.v3 v3.0.1

What needs to happen

  • Replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml at v1.16.0+
  • Update review/persona.go import from gopkg.in/yaml.v3 to github.com/goccy/go-yaml
  • Verify existing YAML tests still pass with the new library
  • Remove gopkg.in/yaml.v3 from go.mod and go.sum
  • go build ./... and go test ./... pass

References

## What was missed Issue #57 explicitly required using `github.com/goccy/go-yaml` v1.16.0 or later, with a documented security rationale: > Use `github.com/goccy/go-yaml` v1.16.0 or later. > **Why this library:** > - Actively maintained (10 releases in the last year, current v1.19.2) > - Security issue (AIKIDO-2024-10486, DoS via deep nesting) was fixed promptly in v1.16.0 > - `gopkg.in/yaml.v3` is abandoned (no code changes since May 2022) PR #58 instead added `gopkg.in/yaml.v3` (the abandoned library the issue explicitly rejected). The PR implements the YAML depth defense with `MaxYAMLDepth`/`MaxYAMLNodes` constants, but uses the wrong underlying library. Note: `gopkg.in/yaml.v3` has its own YAML parsing quirks and lacks active maintenance. The explicit library choice in the issue was not honored. ## Source - PR: #58 — feat: add YAML support for persona files - Linked issue: #57 — Add YAML support for persona files - File: `go.mod` line containing `gopkg.in/yaml.v3 v3.0.1` ## What needs to happen - Replace `gopkg.in/yaml.v3` with `github.com/goccy/go-yaml` at v1.16.0+ - Update `review/persona.go` import from `gopkg.in/yaml.v3` to `github.com/goccy/go-yaml` - Verify existing YAML tests still pass with the new library - Remove `gopkg.in/yaml.v3` from `go.mod` and `go.sum` - `go build ./...` and `go test ./...` pass ## References - [PR #58](https://gitea.weiker.me/rodin/review-bot/pulls/58) - [Issue #57](https://gitea.weiker.me/rodin/review-bot/issues/57)
rodin added the bugai-review labels 2026-05-12 19:19:36 +00:00
rodin self-assigned this 2026-05-12 20:19:16 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label ai-review bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees rodin
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#87
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?