jpillora
commented
1 year ago Pushing v1.9.0 which should resolve this
Closed Silence-worker-02 closed 1 year ago
jpillora
commented
1 year ago Pushing v1.9.0 which should resolve this
Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that it contains a vulnerability (CVE-2022-27191, CVE-2021-43565, CVE-2021-44716).
In your project, the golang.org/x/crypto package is being used at version golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e, but the patched version is v0.0.0-20220314234659-1baeb1ce4c0b. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v0.0.0-20220314234659-1baeb1ce4c0b or higher.
the golang.org/x/net package is being used at version golang.org/x/net v0.0.0-20210614182718-04defd469f4e, but the patched version is v0.0.0-20211209124913-491a49abca63. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v0.0.0-20211209124913-491a49abca63 or higher.
Thank you for your attention to this matter.