Bump golang.org/x/crypto from 0.31.0 to 0.35.0 #281
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.31.0 to 0.35.0. - [Commits](golang/crypto@v0.31.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.35.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
|
@dependabot ignore this minor version sql-migrate is not affected by this, it doesn't have an SSH server. |
|
OK, I won't notify you about version 0.35.x again, unless you re-open this PR. |
dependabot
bot
deleted the
dependabot/go_modules/golang.org/x/crypto-0.35.0
branch
|
@rubenv While it's true that sql-migrate isn't directly affected by this issue, many security scanners still flag high-severity CVEs regardless of usage context. This can create friction for downstream users, especially in environments with strict compliance requirements. Updating the dependency helps avoid those issues with minimal risk. |
|
Sure, agree, but not if it breaks compatibility with previous versions of Go.
If you can submit a PR that bumps this dependency yet doesn't break the tests, I'll merge it immediately.
…On April 15, 2025 1:00:36 PM GMT+02:00, Yevhenii ***@***.***> wrote:
yevheniipererva left a comment (rubenv/sql-migrate#281)
@rubenv While it's true that sql-migrate isn't directly affected by this issue, many security scanners still flag high-severity CVEs regardless of usage context. This can create friction for downstream users, especially in environments with strict compliance requirements. Updating the dependency helps avoid those issues with minimal risk.
--
Reply to this email directly or view it on GitHub:
#281 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
@rubenv, should we care about support go versions that are not maintained anymore?
So it looks like we shouldn't care about about versions < 1.23 |
|
@zyv4yk I removed support for older versions, but 1.23 is a requirement. |
|
ok, I'll try to fix this issue |
Bumps golang.org/x/crypto from 0.31.0 to 0.35.0.
Commits
7292932ssh: limit the size of the internal packet queue while waiting for KEXf66f74bacme/autocert: check host policy before probing the cacheb0784b7x509roots/fallback: drop obsolete build constraint911360call: bump golang.org/x/crypto dependencies of asm generators89ff08dall: upgrade go directive to at least 1.23.0 [generated]e47973ball: update certs for go1.249290511go.mod: update golang.org/x dependenciesfa5273ex509roots/fallback: update bundlea8ea4bessh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface71d3a4cacme: support challenges that require the ACME client to send a non-empty JSO...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.