golang.org/x/crypto dep should uptdae

[buffge]

Vulnerabilities

DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 results in the following vulnerability(s):

• (CVSS 5.9) [CVE-2019-11840] Use of Insufficiently Random Values

[alexedwards]

Thanks for this.

This package has golang.org/x/crypto v0.0.0-20190605123033 as a dependency, so I thought that it was a bit strange that this was being flagged.

But it looks like golang.org/x/crypto v0.0.0-20190605123033 has golang.org/x/net v0.0.0-20190404232315 a dependency, which in turn has golang.org/x/crypto v0.0.0-20190308221718 as dependency (see here). And that's the source of the warning.

So the fix for this is that the golang.org/x/net dep needs to be upgraded.

I'll keep this open until that happens.

But it looks like the vuln relates to the golang.org/x/crypto/salsa20 package only, which isn't used by argon2id, so this package isn't actually affected anyway.

[buffge]

l use the sonatype-depshield app ,this issues is it prompt me. You can try it. Thanks

[alexedwards]

The current version of golang.org/x/crypto now uses a newer version of golang.org/x/net, and I've upgraded the go.mod accordingly so this can finally be closed :champagne: