Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sec): upgrade golang.org/x/net to 0.7.0 #26926

Closed

Conversation

chncaption
Copy link

What happened?

There are 1 security vulnerabilities found in golang.org/x/net v0.4.0

What did I do?

Upgrade golang.org/x/net from v0.4.0 to 0.7.0 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

@holiman
Copy link
Contributor

holiman commented Mar 20, 2023

I'm not sure how you did this upgrade -- did you just manually modify the file?

golang.org/x/net v0.7.0 // indirect

As you see, this is an indirect dependency, meaning that we require something that pulls this dependency in. If we want to upgrade this component, the right thing to do is to find the dependency which pulls this in, and update that one.

I looked at it a little bit earlier, and was a bit surprised at how non-trivial that turned out to be (maybe just me being stupid). Going to close this, feel free to open a new one if you figure out the correct way to do it.

@holiman holiman closed this Mar 20, 2023
@holiman
Copy link
Contributor

holiman commented Mar 20, 2023

Prevous discussion: #26724

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants