Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suspected vulnerabilities in dependencies #279

Open
bssth opened this issue May 3, 2024 · 5 comments
Open

Suspected vulnerabilities in dependencies #279

bssth opened this issue May 3, 2024 · 5 comments
Labels
v2 Targeting GopenPGP v2

Comments

@bssth
Copy link

bssth commented May 3, 2024

dependabot complains that some of your library dependencies have known vulnerabilities. This is about github.com/cloudflare/circl and golang.org/x/crypto

Proposes from bot:

  • Update github.com/cloudflare/circl from 1.3.3 to 1.3.7
  • Update golang.org/x/crypto from 0.7.0 to 0.17.0

..exactly the same as from Goland IDE. Is it possible to upgrade to versions that are considered secure?

@lubux
Copy link
Member

lubux commented May 3, 2024

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

@bssth
Copy link
Author

bssth commented May 3, 2024

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

Hi! Kindly tell me if it is stable enough to use. Thanks for fast response!

@bssth
Copy link
Author

bssth commented May 3, 2024

Problem with circl gone, but I have another one:
image

@lubux
Copy link
Member

lubux commented May 6, 2024

Hi! Kindly tell me if it is stable enough to use.

Yes, the pre-release can be used. It adds support for the OpenPGP crypto-refresh if enabled, which is not fully published yet. This is why it is still a pre-release.

Problem with circl gone, but I have another one:

GopenPGP does not rely on the SSH features in x/crypto, so it is fine:
golang/crypto@v0.17.0...v0.23.0"

@bssth
Copy link
Author

bssth commented May 6, 2024

GopenPGP does not rely on the SSH features in x/crypto, so it is fine: golang/crypto@v0.17.0...v0.23.0"

So it's not used, just indirect dependency of another dependency which is not used in your project?

@lubux lubux added the v2 Targeting GopenPGP v2 label Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v2 Targeting GopenPGP v2
Projects
None yet
Development

No branches or pull requests

2 participants