alerque
commented
3 weeks ago Do the CVEs really affect this app or do they just happen to exist in an unrelated/unused API surface in Go?
Open Tang8330 opened 3 weeks ago
alerque
commented
3 weeks ago Do the CVEs really affect this app or do they just happen to exist in an unrelated/unused API surface in Go?
Tang8330
commented
3 weeks ago Not sure, but given it's just a Go upgrade, I don't see why we wouldn't just address them.
alerque
commented
3 weeks ago At least one of those has already been brought up here: https://github.com/FiloSottile/age/pull/409#issuecomment-1103827329.
The more general point of "why not just bump" is also addressed in places like here: https://github.com/FiloSottile/age/pull/458#issuecomment-1292662263.
Tang8330
commented
3 weeks ago I understand the position of not wanting to bump for the sake of bumping a CVE that may not actually impact age, thus generating busywork.
However, how do you plan to actually tackle triaging to ensure that appropriate CVEs are being addressed and providing a rationale for why particular CVEs that have been flagged are being purposefully ignored?
Upgrading Go to address CVEs stemming from
stdlib