Closed joaopapereira closed 1 year ago
What is a "false negative" and how does bumping a dependency that you already determined does not effect this library make it more secure?
age is not affected by CVE-2022-29526.
My firm position is that upgrading everything that depends on a widely used module every time it publishes a vulnerability affecting a small subset of users is counter-productive, as it discourages publishing vulnerabilities and generates busywork.
During a trivy scan, a vulnerability was found https://avd.aquasec.com/nvd/2022/cve-2022-29526/ in
age
library. This doesn't look like it impacts the library itself but we are bumping this dependency to ensure we do not have false negatives.