pion
Update module golang.org/x/crypto to v0.45.0 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| golang.org/x/crypto | v0.32.0 -> v0.45.0 |
GitHub Vulnerability Alerts
CVE-2025-22869
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-58181
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-47914
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
ℹ Artifact update notice
File name: go.mod
In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):
- 1 additional dependency was updated
- The
godirective was updated for compatibility reasons
Details:
| Package | Change |
|---|---|
golang.org/x/net |
v0.34.0 -> v0.47.0 |
go |
1.21 -> 1.24.0 |
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 81.27%. Comparing base (7a57e26) to head (f371b0e).
Additional details and impacted files
@@ Coverage Diff @@
## master #756 +/- ##
==========================================
- Coverage 81.34% 81.27% -0.08%
==========================================
Files 101 101
Lines 5602 5602
==========================================
- Hits 4557 4553 -4
- Misses 672 675 +3
- Partials 373 374 +1
| Flag | Coverage Δ | |
|---|---|---|
| go | 81.27% <ø> (-0.08%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are not using the SSH package provided by the crypto library, so we are not affected by these vulnerabilities. This also requires us to upgrade the minimum go version to 1.24.0, which we are not doing yet.
ℹ️ Artifact update notice
File name: go.mod
In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):
- 1 additional dependency was updated
- The
godirective was updated for compatibility reasons
Details:
| Package | Change |
|---|---|
golang.org/x/net |
v0.34.0 -> v0.47.0 |
go |
1.21 -> 1.24.0 |