Request module update to resolve security issues #63

minias · 2024-07-15T08:00:17Z

I'm using the package well, thank you.
Module update is required as below.

cascadia/go.mod

Line 5 in 25c6294

require golang.org/x/net v0.9.0

golang.org/x/net v0.27.0

CVE-2023-39325

Please delete the checksum contents of the package that you are no longer using in the go.sum file.

cascadia/go.sum

Lines 2 to 3 in 25c6294

    
           golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 
        
           golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

cascadia/go.sum

Lines 6 to 21 in 25c6294

    
           golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 
        
           golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 
        
           golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 
        
           golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 
        
           golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= 
        
           golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= 
        
           golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 
        
           golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 
        
           golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 
        
           golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 
        
           golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 
        
           golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 
        
           golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 
        
           golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 
        
           golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 
        
           golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

andybalholm · 2024-07-15T15:45:39Z

I'm not really opposed to updating the dependencies, but the CVE you linked does not affect Cascadia, because it doesn't use HTTP.

raymond-bang · 2024-12-17T16:02:32Z

Hello,

Similar to the original request, the golang.org/x/crypto packages are setting off this CVE

https://nvd.nist.gov/vuln/detail/CVE-2024-45337

Would it be possible to update the dependencies?

andybalholm closed this as completed in cfb7f4e Dec 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Request module update to resolve security issues #63

Request module update to resolve security issues #63

minias commented Jul 15, 2024 •

edited

Loading

andybalholm commented Jul 15, 2024

raymond-bang commented Dec 17, 2024

Request module update to resolve security issues #63

Request module update to resolve security issues #63

Comments

minias commented Jul 15, 2024 • edited Loading

andybalholm commented Jul 15, 2024

raymond-bang commented Dec 17, 2024

minias commented Jul 15, 2024 •

edited

Loading