Suspected vulnerabilities in dependencies

[bssth]

dependabot complains that some of your library dependencies have known vulnerabilities. This is about github.com/cloudflare/circl and golang.org/x/crypto

Proposes from bot:

• Update github.com/cloudflare/circl from 1.3.3 to 1.3.7
• Update golang.org/x/crypto from 0.7.0 to 0.17.0

..exactly the same as from Goland IDE. Is it possible to upgrade to versions that are considered secure?

[lubux]

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

[bssth]

Hi 👋 You could switch to the 2.8.0 pre-release, which bumps the versions of the dependencies.

Hi! Kindly tell me if it is stable enough to use. Thanks for fast response!

[bssth]

Problem with circl gone, but I have another one:

[lubux]

Hi! Kindly tell me if it is stable enough to use.

Yes, the pre-release can be used. It adds support for the OpenPGP crypto-refresh if enabled, which is not fully published yet. This is why it is still a pre-release.

Problem with circl gone, but I have another one:

GopenPGP does not rely on the SSH features in x/crypto, so it is fine:
golang/crypto@v0.17.0...v0.23.0"

[bssth]

GopenPGP does not rely on the SSH features in x/crypto, so it is fine: golang/[email protected]"

So it's not used, just indirect dependency of another dependency which is not used in your project?