gopenpgp icon indicating copy to clipboard operation
gopenpgp copied to clipboard
verified publisher icon ProtonMail

Suspected vulnerabilities in dependencies

Open bssth opened this issue 1 year ago • 5 comments

dependabot complains that some of your library dependencies have known vulnerabilities. This is about github.com/cloudflare/circl and golang.org/x/crypto

Proposes from bot:

  • Update github.com/cloudflare/circl from 1.3.3 to 1.3.7
  • Update golang.org/x/crypto from 0.7.0 to 0.17.0

..exactly the same as from Goland IDE. Is it possible to upgrade to versions that are considered secure?

bssth avatar May 03 '24 05:05 bssth

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

lubux avatar May 03 '24 15:05 lubux

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

Hi! Kindly tell me if it is stable enough to use. Thanks for fast response!

bssth avatar May 03 '24 15:05 bssth

Problem with circl gone, but I have another one: image

bssth avatar May 03 '24 15:05 bssth

Hi! Kindly tell me if it is stable enough to use.

Yes, the pre-release can be used. It adds support for the OpenPGP crypto-refresh if enabled, which is not fully published yet. This is why it is still a pre-release.

Problem with circl gone, but I have another one:

GopenPGP does not rely on the SSH features in x/crypto, so it is fine: https://github.com/golang/crypto/compare/v0.17.0...v0.23.0"

lubux avatar May 06 '24 14:05 lubux

GopenPGP does not rely on the SSH features in x/crypto, so it is fine: golang/[email protected]"

So it's not used, just indirect dependency of another dependency which is not used in your project?

bssth avatar May 06 '24 16:05 bssth