Updating dependency github.com/sirupsen/logrus v1.8.1

[ZacharyTJin]

Hi!

May I know if it is possible to upgrade the dependency github.com/sirupsen/logrus v1.8.1 to v1.9.3. Vulnerability risk is reported on this version

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391

Thanks!

[jamietanna]

Hey @ZacharyTJin thanks for the report.

I can't see that we have a CVE affecting our direct usage of runtime:

% govulncheck --version
Go: go1.24.5
Scanner: govulncheck@v1.1.4
DB: https://vuln.go.dev
DB updated: 2025-08-29 15:42:26 +0000 UTC

No vulnerabilities found.
% govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.19.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: styleparam.go:458:20: runtime.primitiveToString calls http2.ErrCode.String
      #2: styleparam.go:458:20: runtime.primitiveToString calls http2.FrameType.String
      #3: styleparam.go:458:20: runtime.primitiveToString calls http2.Setting.String
      #4: styleparam.go:458:20: runtime.primitiveToString calls http2.SettingID.String
      #5: types/file.go:47:20: types.File.Bytes calls io.ReadAll, which eventually calls http2.chunkWriter.Write
      #6: bindparam.go:375:24: runtime.BindQueryParameter calls fmt.Errorf, which eventually calls http2.duplicatePseudoHeaderError.Error
      #7: bindparam.go:375:24: runtime.BindQueryParameter calls fmt.Errorf, which eventually calls http2.headerFieldNameError.Error
      #8: bindparam.go:375:24: runtime.BindQueryParameter calls fmt.Errorf, which eventually calls http2.headerFieldValueError.Error
      #9: bindparam.go:375:24: runtime.BindQueryParameter calls fmt.Errorf, which eventually calls http2.pseudoHeaderError.Error
      #10: styleparam.go:458:20: runtime.primitiveToString calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.
This scan also found 4 vulnerabilities in packages you import and 4
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
govulncheck ./...  12.82s user 1.11s system 421% cpu 3.308 total

As in #64 (and until we have oapi-codegen/governance#11 fully documented) we'll not be bumping dependencies arbitrarily to resolve CVEs for consuming services, unless there is a direct vulnerability that govulncheck can find.