Problem
Any application that depends on this library will indirectly require golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
Currently mongo uses this library in its Go driver. Which my library uses. Resulting in security warnings.
Proposal
Bumping golang.org/x/crypto to at least version 0.21.0 will patch:
- CVE-2023-48795 5.9 Insufficient Verification of Data Authenticity vulnerability with Medium severity found
- CVE-2023-42818 9.8 Improper Restriction of Excessive Authentication Attempts vulnerability with High severity found
Problem
Any application that depends on this library will indirectly require
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirectCurrently mongo uses this library in its Go driver. Which my library uses. Resulting in security warnings.
Proposal
Bumping
golang.org/x/cryptoto at least version0.21.0will patch: