Dependency text 0.3.6 has a vulnerability

[Akaame]

Hello,

Our vulnerability scanner (Snyk) points that PGX and co. are vulnerable due to golang.org/x/text not being on the latest version 0.3.7

✗ Medium severity vulnerability found in golang.org/x/text/internal/language
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718
  Introduced through: golang.org/x/text/secure/precis@0.3.6
  From: golang.org/x/text/secure/precis@0.3.6 > golang.org/x/text/language@0.3.6 > golang.org/x/text/internal/language@0.3.6
  From: golang.org/x/text/secure/precis@0.3.6 > golang.org/x/text/language@0.3.6 > golang.org/x/text/internal/language/compact@0.3.6 > golang.org/x/text/internal/language@0.3.6
  From: golang.org/x/text/secure/precis@0.3.6 > golang.org/x/text/cases@0.3.6 > golang.org/x/text/language@0.3.6 > golang.org/x/text/internal/language@0.3.6
  and 3 more...
  Fixed in: 0.3.7

What is the procedure going forward? Will there be a v1.11.1? Is this issue already voiced in one of the sister projects?

Cheers.

[jackc]

After reviewing how that library is actually used in pgconn it does not appear that the issue can be triggered through pgconn. I've still upgraded the dependency anyway to make vulnerability scanners happy. But since it isn't actually a security issue I don't plan on doing a tagged release just for this.