I have an application that was built with go 1.16.4, which uses (imports) the archive/zip component of the Go std lib. I took a look at the golang Release Notes and see that a security vulnerability has been fixed in archive/zip in golang 1.16.5. How do I ensure that my application is no longer vulnerable? Must I upgrade my version of go itself, and then rebuild with that new version of go? Or could I vendor the newer version of the fixed component then rebuild? Must the files in the build machine's $GOROOT be updated?
Must I upgrade my version of
goitself, and then rebuild with that new version ofgo?
Yes...
Or could I vendor the newer version of the fixed component then rebuild?
No, you can't vendor the Go standard library.
Must the files in the build machine's
$GOROOTbe updated?
GOROOT is the root folder of the Go SDK installation. It is updated when you upgrade Go on the machine (or container) that invokes go build/go install.