tlock-go: 3 dependencies have vulnerabilities

drand / tlock

Timelock Encryption made practical. The Go `tlock` library and the `tle` cmd line tool home to encrypt towards the future.

Apache License 2.0

510 stars 24 forks source link

tlock-go: 3 dependencies have vulnerabilities #46

Closed CluEleSsUK closed 1 year ago

CluEleSsUK commented 1 year ago

Have looked into this - all are transitive dependencies from drand/drand. Curiously, tlock pulls in the whole of drand rather than just the client, and running go get github.com/drand/drand/client seems to do this. Updating the downstream dependency on quic-go requires an update to a libp2p lib, which I've raised a PR for here

CluEleSsUK commented 1 year ago

actually quic-go has already been upgraded in newer versions of drand. I've raised a PR to update tlock-go deps here: https://github.com/drand/tlock/pull/58

AnomalRoil commented 1 year ago

fixed in #58