Skip to content

Update golang.org/x/crypto #808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Starttoaster wants to merge 1 commit into from
Closed

Update golang.org/x/crypto #808

Starttoaster wants to merge 1 commit into from

Conversation

@Starttoaster
Copy link

@Starttoaster Starttoaster commented Oct 1, 2025

Part of #807

@Starttoaster
Copy link
Author

Starttoaster commented Oct 1, 2025

I saw that you actually have #751 open. My update goes a bit past yours, noting the screenshot from my linked Issue where golang.org/x/crypto is actually vulnerable through 0.31.0. (CVEs are actually fairly consistently found in the crypto lib, so I'm sure even updating to 0.31.0, there would be another CVE to take its place.)

But after seeing your PR I wondered if there's any point to mine. It would be useful to better understand what your strategy is on accepting changes, since yours hasn't been accepted yet. If it's just a free time thing, I can understand that. I'd actually looked to see if you were part of the GitHub partner program, because I'd have liked to help support you in developing this utility if you had set that up.

@sosedoff
Copy link
Owner

sosedoff commented Nov 12, 2025

I have very little time for this project these days so i just try to address the most pressing issues when i have a chance.
For this particular PR, i don't think its going to be needed as i've closed mine and also opened up another one #820 to bump the package version even further.

Main issues with such upgrades is that even if CI reports green, there might be some side effects, like issues with SSH connectivity, and others. So generally speaking, there's a bunch of manual testing required before merging a change like this.

@Starttoaster
Copy link
Author

Starttoaster commented Nov 13, 2025

That's completely understandable, thanks for your reply. I own a handful of public (and even more private) Golang projects myself and am in a similar situation. Though I tend to just take in dependency updates anyway, and don't usually find them to be breaking changes. None of my utilities I support establish SSH connections though, so I'm less familiar with the breaking changes there. And the utilities I support are mostly simpler than pgweb in scope.

Thanks for pgweb! It's a very nice looking Postgres web UI compared to the more popular alternatives out there. And it was much simpler to deploy. I try to stay on top of my k8s CVEs, which is... mostly a folly trying to keep up with them. But I may just own a more simplified down fork of pgweb that just does what I need it to do (which doesn't include SSH, and a few other things pgweb does), that's a bit less scary to have dependabot keep updated, haha. Anyway, cheers to someday having tons of free time in retirement 😂

@Starttoaster Starttoaster deleted the bb/crypto-update-oct-1 branch December 3, 2025 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Starttoaster @sosedoff