Update github.com/gin-gonic/gin

[kirill-scherba]

Hi!

Could you please update the https://github.com/gin-gonic/gin. Github Dependabot send alerts to projects uses your nhooyr/websocket project because you use the https://github.com/gin-gonic/gin v1.6.3, but they need Patched version: 1.7.0.

See the message:

CVE-2020-28483
high severity
Vulnerable versions: < 1.7.0
Patched version: 1.7.0
This affects all versions of package https://github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

I have use your https://github.com/nhooyr/websocket project in my https://github.com/kirill-scherba/teowebrtc project for make webrtc signaling client/server and this Github Dependabot alert is placed in my project page now :-)

I think you need just execute go get -u and publish new tag!

Thanks.
Best regards,
Kirill Scherba.

[kirill-scherba]

P.S. There is PR which fix this issue: #310

[oderwat]

I actuallly wonder how this is "single dependency" with all the other modules needed :)

[prochac]

I'm also for the dependency removal, then struggle with its upgrades.
It bothers both gin users or no.
AFAIK it's used only for integration test.

---

The same is about github.com/gobwas/ws and github.com/gorilla/websocket that are listed as dependency while they not.

[nhooyr]

All dependencies other than klauspost/compress are for tests alone. And dev has no dependencies whatsoever though I don't suggest running it in production yet.

[nhooyr]

I'll remove gin soon and move the third party tests into a different module so they don't show up and cause all this confusion.