Request: Bump Go toolchain and golang.org/x/crypto to remediate multiple CVEs #791
Description
Hello gnmic maintainers,
Our security scanning identified that the current build is using:
- Go 1.24.7
- golang.org/x/crypto v0.43.0
Both are affected by multiple high-severity CVEs:
Go toolchain (1.24.7):
- CVE-2025-58185 → fixed in v1.24.8
- CVE-2025-58186 → fixed in v1.24.8
- CVE-2025-58183 → fixed in v1.24.8
- CVE-2025-58188 → fixed in v1.24.8
- CVE-2025-61723 → fixed in v1.24.8
- CVE-2025-61724 → fixed in v1.24.8
- CVE-2025-58187 → fixed in v1.24.9
- CVE-2025-61727 → fixed in v1.24.11
- CVE-2025-61729 → fixed in v1.24.11
golang.org/x/crypto v0.43.0:
- CVE-2025-47914 → fixed in v0.45.0
- CVE-2025-58181 → fixed in v0.45.0
Recommended remediation:
- Upgrade Go to >= 1.24.11
- Upgrade golang.org/x/crypto to >= v0.45.0
Would you be open to bumping these versions?
Thank you for maintaining gnmic.