Status
Justification
Impact
This vulnerability detection relates to the parent package (vitess), and is fixed in v20.4. The vitess project creates multiple release tags for each release in GitHub. For example, v20.4 and v20.0.4. Vitess uses v20.0.4 for the image / product version, but uses v20.4 for the published Go binary. There are no code differences between these release tags: https://github.com/vitessio/vitess/compare/v0.20.4...v20.0.4. The GH Advisory DB favors the version used by the published Go binary: https://github.com/advisories/GHSA-7mwh-q3xm-qh6p. Also confirmed by upstream in the following issue: https://github.com/vitessio/vitess/issues/17547.
Status