-
Notifications
You must be signed in to change notification settings - Fork 684
Open
Labels
dependenciesPull requests that update a dependency filePull requests that update a dependency filekind/externalkubernetes
Description
Description
This project has an indirect dependency on github.com/mailru/easyjson, a Go library with maintainers based in Russia and affiliated with VK Group. VK Group has known ties to the Russian government and a history of cooperating with Russian security services, including sharing user data.
According to the Hunted Labs report, "The Russian Open Source Project That We Can’t Live Without", this dependency poses a significant supply chain risk. A compromised easyjson library could lead to severe consequences, including:
- Supply chain backdoors
- Remote code execution
- Espionage
- Data exfiltration
- Potential "kill switch" functionality
To mitigate these risks, I propose to remove this indirect dependency.
Dependencies that relies on easyjson (updated based on the discussion below):
nekoduykod, olxandr, vtopc, genvmoroz, RidgeA and 1 more
Metadata
Metadata
Assignees
Labels
dependenciesPull requests that update a dependency filePull requests that update a dependency filekind/externalkubernetes