cmd/go: command to find minimum version with no known CVE #50409
Labels
GoCommand
cmd/go
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Is it possible to introduce a
go mod
command/feature that can look at data from deps.dev and automatically use the minimum version that does NOT have a known CVE. With the prevalence of code scanners, we keep getting alerts regarding CVEs. Currently the process to fix such alerts require a lot of manual work. Ifgo mod
can automate some of this, that will be much appreciated. As an example, npm has anpm audit fix
command that similar things for js projects. Thanks!The text was updated successfully, but these errors were encountered: