Update golang.org/x/crypto to address security vulnerabilities #1274
Description
⚠️ Outdated golang.org/x/crypto Dependency
This repository is currently using golang.org/x/crypto v0.42.0 but the latest version is v0.47.0.
Last scanned: 2026-01-22 06:22 UTC
Why Update?
Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.
🔒 Security Vulnerabilities Fixed in Newer Versions
The following CVEs have been addressed in versions after v0.42.0:
- CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in
0.45.0(details) - CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in
0.45.0(details)
🤖 Recommendation: Enable Dependabot
This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your go.mod dependencies up-to-date and receive security alerts.
To enable Dependabot, create a .github/dependabot.yml file:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10See GitHub Dependabot documentation for more details.
📋 How to Update
Run the following command to update:
go get golang.org/x/crypto@v0.47.0
go mod tidyThen run your tests and submit a PR with the changes.
🔗 Central Tracking
This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.
See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59
This issue is automatically managed by the xcrypto-lookup.sh scanner.