Replies: 2 comments
-
|
kitty uses dependabot so all Go deps are auto updated once a week, IIRC
on Mondays.
For the record, to update all dependencies, you just need to run:
go get -u ./... && go mod tidy
…On Fri, Aug 04, 2023 at 09:06:15AM -0700, Scott Bradnick wrote:
I was notified of the CVE in the title w/ a link pointing to a few different references, one such being: https://pkg.go.dev/vuln/GO-2023-1989. Which from what I can tell basically suggests updating `go.mod`:
```
golang.org/x/image v0.9.0
```
I have no idea if it's as simple as:
```
golang.org/x/image v0.10.0
```
And then some other mechanism updates `go.sum`?
--
Reply to this email directly or view it on GitHub:
#6526
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
--
_____________________________________
Dr. Kovid Goyal
https://www.kovidgoyal.net
https://calibre-ebook.com
_____________________________________
|
Beta Was this translation helpful? Give feedback.
-
I saw the previous dependabot references in my searching, but didn't know the timeframe and I wanted to have something to put in the ticket on my end - so thank you very much for this info 😃
We build it as part of a build service which doesn't have internet access so the go modules are part of a vendored package and the whole thing is wiped clean and then rebuilt; basically, I'm happy to wait for |
Beta Was this translation helpful? Give feedback.
-
I was notified of the CVE in the title w/ a link pointing to a few different references, one such being: https://pkg.go.dev/vuln/GO-2023-1989. Which from what I can tell basically suggests updating
go.mod:I have no idea if it's as simple as:
And then some other mechanism updates
go.sum?Beta Was this translation helpful? Give feedback.
All reactions