Consider upgrading golang.org/x/text to the latest version

[jerisalan]

The following module dep golang.org/x/text has multiple critical CVE open for it. Please consider upgrading to latest versions.

golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

We use the datadog go client API in our internal products and the software scanning tool brought into attention a couple of CVE related to the above dependency.

CVE-2022-32149
CVE-2021-38561
CVE-2020-14040
CVE-2020-28852

[therve]

Hi,

We're somewhat stuck by the oauth2 dependency due to golang/oauth2#615 and the appengine underlying dependency. We need to consider what to do here. From I can gather the CVEs are either problematic as a server or against an arbitrary endpoint, so they don't affect us, but we should find a way to upgrade.

[therve]

For the record I double checked and we're not depending on the x/text versions you listed. They are present in go.sum but if you use go list -m all which is what build uses you see v0.7.0. If your security scanner flags the client with the listed CVEs it's wrong.

[jerisalan]

Thanks for confirming @therve. I will update the tool accordingly on our end.