Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
x/net: requires an older x/crypto version without security fix #35798
What version of Go are you using (
The x/net module has only one package that imports something from x/crypto module. It's the
Still, it's probably a good idea for x/net to require a newer version, in case someone does use that package indirectly.
Vulnerability tracking is an open ecosystem question we are working on, but I don't think it should be x/net's responsibility to pull up the version of x/crypto past a vulnerability in a component that x/net doesn't depend on.
How MVS works is that each module specifies the minimum version of its dependencies it needs to work correctly, and then the go tool will pick the highest in the graph, which is expected to work for everyone thanks to semantic versioning (and the versioned import paths).
I think requiring a security fix is akin to requiring a new API: the module that needs it must specify an explicit dependency in its go.mod. Relying on you transitive dependencies to pull it up is brittle: if tomorrow you remove your dependency on x/net, you'll be silently dropping back to an insecure version of salsa20!
In summary, if your module is using golang.org/x/crypto/salsa20, you need to specify a recent version of x/crypto in your go.mod, for example by running
This is not how it's supposed to work, so if that's happening please open a cmd/go issue with reproduction instructions. You can check the actual final selected version with