cascadia icon indicating copy to clipboard operation
cascadia copied to clipboard
verified publisher icon andybalholm

Request module update to resolve security issues

Open minias opened this issue 1 year ago • 1 comments

I'm using the package well, thank you. Module update is required as below.

https://github.com/andybalholm/cascadia/blob/25c629490fd844d79a0e8e0d6e880f90915153bc/go.mod#L5

golang.org/x/net v0.27.0

CVE-2023-39325

Please delete the checksum contents of the package that you are no longer using in the go.sum file.

https://github.com/andybalholm/cascadia/blob/25c629490fd844d79a0e8e0d6e880f90915153bc/go.sum#L2-L3 https://github.com/andybalholm/cascadia/blob/25c629490fd844d79a0e8e0d6e880f90915153bc/go.sum#L6-L21

스크린샷 2024-07-15 오후 4 02 04

minias avatar Jul 15 '24 08:07 minias

I'm not really opposed to updating the dependencies, but the CVE you linked does not affect Cascadia, because it doesn't use HTTP.

andybalholm avatar Jul 15 '24 15:07 andybalholm

Hello,

Similar to the original request, the golang.org/x/crypto packages are setting off this CVE

https://nvd.nist.gov/vuln/detail/CVE-2024-45337

Would it be possible to update the dependencies?

raymond-bang avatar Dec 17 '24 16:12 raymond-bang