You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I don't think that tusd uses crypto/ssh (and is therefore not really subject to this CVE) however from a static analysis standpoint it'd be nice if we could pull in a version of this library that isn't flagged as vulnerable.
I'm not super familiar with golang, so not sure how hard this is to do, as this is a dependency of a dependency.
To be honest, I am not an expert with Go dependencies. I tried to follow the steps in https://medium.com/@majdasab/how-to-upgrade-an-indirect-dependency-in-golang-988751f92a6e to require a version of crypto that fixes this issue, but the Go tool chain always overwrites my changes. So maybe we already use a new enough version. But I personally do not know how to tackle this.
@Acconut thank you so much for looking into this. I've also chatted with golang folks at my company it and it sounds like this is not really possible (and is a widespread issue in the go ecosystem). I'm going to close this for now. Thanks again for looking into it ❤️
Describe the bug
I don't think that tusd uses
crypto/ssh
(and is therefore not really subject to this CVE) however from a static analysis standpoint it'd be nice if we could pull in a version of this library that isn't flagged as vulnerable.I'm not super familiar with golang, so not sure how hard this is to do, as this is a dependency of a dependency.
To Reproduce
See https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-551923
The text was updated successfully, but these errors were encountered: