Skip to content

upgrade golang.org/x/crypto to 0.45.0 #35988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2025
Merged

upgrade golang.org/x/crypto to 0.45.0 #35988

merged 2 commits into from
Nov 20, 2025
+7 −7

Conversation

@lunny
Copy link
Member

@lunny lunny commented Nov 20, 2025

Backport #35985

@GiteaBot GiteaBot added this to the 1.25.2 milestone Nov 20, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 20, 2025
@lunny lunny added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/dependencies labels Nov 20, 2025
@lunny lunny mentioned this pull request Nov 20, 2025
Open
@silverwind
Copy link
Member

silverwind commented Nov 20, 2025
edited
Loading

Odd, https://pkg.go.dev/vuln/GO-2025-4134 is marked as "all versions, no known fixed", see discussion in golang/vulndb#4143.

@johnsonjh
Copy link

johnsonjh commented Nov 20, 2025
edited
Loading

govulncheck is clearly incorrect and directly contradicts the security announcement from Google. Blocking this upgrade actually keeps you vulnerable to the two CVEs.

@silverwind
Copy link
Member

silverwind commented Nov 20, 2025

Yeah we should either wait for the vulndb fix or merge open PRs while ignoring vulncheck. There's currently still no way to suppress individual vulns (golang/go#59507).

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 20, 2025
@lunny
Copy link
Member Author

lunny commented Nov 20, 2025

I think we can merge this one while ignoring vulncheck. I have done that in #35985

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 20, 2025
@silverwind
Copy link
Member

silverwind commented Nov 20, 2025

vulncheck was fixed

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 20, 2025
@techknowlogick techknowlogick merged commit 5e7207d into go-gitea:release/v1.25 Nov 20, 2025
26 checks passed
@lunny lunny deleted the lunny/backport_35985 branch November 20, 2025 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

+1 more reviewer

@Zettat123 Zettat123 Zettat123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/dependencies topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Projects

None yet

Milestone

1.25.2

Development

Successfully merging this pull request may close these issues.

6 participants

@lunny @silverwind @johnsonjh @Zettat123 @techknowlogick @GiteaBot