nightshift: dependency-risk — 2 findings (module path mismatch, Go version)

[nightshift-micr]

nightshift: dependency-risk — 2 findings (1 MEDIUM, 1 LOW)

Summary

tailstick has an excellent dependency profile with only 1 external dependency (golang.org/x/crypto v0.49.0). However, there are 2 findings: a module path mismatch and a Go version that may not exist.

Dependency Tree

github.com/tailstick/tailstick
└── golang.org/x/crypto v0.49.0 (scrypt only)

1 direct dependency, 0 indirect dependencies. This is minimal and low-risk.

Findings

1. Module Path Mismatch (MEDIUM)

File: go.mod:1

module github.com/tailstick/tailstick

Actual repo URL: github.com/Microck/tailstick

Impact: go install github.com/Microck/tailstick@latest will fail because the module path doesn't match the repo path. Any external consumers cannot go get this package.

Fix: Update module path to github.com/Microck/tailstick and update all internal imports accordingly.

2. Go Version May Not Exist (LOW)

File: go.mod:3

go 1.25.6

Go 1.25.x has not been released (latest stable is Go 1.24.x as of April 2026). If the project was initialized with a pre-release or beta toolchain, this may work locally but could fail on CI with standard Go toolchains.

Recommendation: Verify the intended Go version and update to a released version if needed.

Positive Security Signals

Check	Status
External dependencies	✅ Only 1 (x/crypto)
x/crypto usage	✅ scrypt only (no ssh, no bcrypt)
Deprecated io/ioutil	✅ Not used
HTTP client timeouts	✅ defaultDeleteDeviceHTTPClient has 15s timeout
exec.Command with user input	✅ No injection risk — commands use fixed args
Supply chain surface	✅ Minimal — 1 dep = 1 attack vector

Known Vulnerabilities in x/crypto

golang.org/x/crypto v0.49.0 is recent and not affected by known CVEs:

• CVE-2024-45337 (ssh): Not using ssh package
• CVE-2024-45338 (html): Not in x/crypto

No action needed for the dependency version itself.

---

Generated by nightshift • dependency-risk analysis