x/crypto: requires old version of x/net #57245

duncanharris · 2022-12-11T18:10:36Z

Latest golang.org/x/crypto requires v0.3.0 of golang.org/x/net but the latest of the latter is v0.4.0

https://cs.opensource.google/go/x/crypto/+/master:go.mod :

module golang.org/x/crypto

go 1.17

require (
	golang.org/x/net v0.3.0
	golang.org/x/sys v0.3.0
	golang.org/x/term v0.3.0
)

require golang.org/x/text v0.5.0 // indirect

Highlighted because seems to cause my vulnerability checker to report an issue.

The text was updated successfully, but these errors were encountered:

seankhliao · 2022-12-11T20:51:33Z

cc @golang/release

heschi · 2022-12-12T19:06:44Z

Nothing in crypto uses the vulnerable package in net, so I would consider this a false positive from the vulnerability checker. The dependency will be updated in a few weeks when the next versions are tagged, and in the meantime you can upgrade yourself if you want.

gopherbot added this to the Unreleased milestone Dec 11, 2022

seankhliao changed the title ~~x/crypto requires old version of x/net~~ x/crypto: requires old version of x/net Dec 11, 2022

seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 11, 2022

heschi closed this as not planned Won't fix, can't repro, duplicate, stale Dec 12, 2022

golang locked and limited conversation to collaborators Dec 12, 2023

gopherbot added the FrozenDueToAge label Dec 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/crypto: requires old version of x/net #57245

x/crypto: requires old version of x/net #57245

duncanharris commented Dec 11, 2022

seankhliao commented Dec 11, 2022

heschi commented Dec 12, 2022

x/crypto: requires old version of x/net #57245

x/crypto: requires old version of x/net #57245

Comments

duncanharris commented Dec 11, 2022

seankhliao commented Dec 11, 2022

heschi commented Dec 12, 2022