x/vuln: Dependent on unmaintained library

[OlafFlebbeBosch]

govulncheck version

Go: go1.24.2
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2025-04-10 16:27:06 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

According to https://github.com/golang/tools/blob/ce1c5d5963f44e413084a90b6e9011d97ba36888/gopls/go.mod#L15 and https://github.com/golang/tools/blob/ce1c5d5963f44e413084a90b6e9011d97ba36888/gopls/internal/vulncheck/vulntest/report.go#L16
it is using the unmaintained https://github.com/go-yaml/yaml ?

Output of go env in your module/workspace:

issue with source not usage

What did you do?

look at source

What did you see happen?

gopkg.in/yaml.v3 is used

What did you expect to see?

different yaml package

[gabyhelp]

Related Issues

• x/vuln: incorrect version is suggested as a fixed version for a vulnerability with multiple packages #54913 (closed)
• x/tools/gopls: broken build with x/vuln@latest #59837 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[prattmic]

cc @golang/vulndb

[zpavlinovic]

The code that you referenced is not in x/vuln.

x/vuln does not rely on the yaml package in question. (It does rely on tools, but not on its part that is using yaml.)