I was earlier on golang 1.20 when Snyk reported a couple of vulnerabilities in my code, which needed me to upgrade the following:
golang . org/x/crypto => golang . org/x/crypto v0.35.0
golang . org/x/net => golang . org/x/net v0.36.0
At this point, I only had 2 vulnerabilities. Now, in order to upgrade these packages, I need golang 1.23 +
Moving to golang 1.23, and upgrading the above packages, I now have 52 vulnerabilities.
But if I only upgrade golang to 1.23, there’s no issue.
This is one of them on Snyk:
- Introduced through
go@1.23.0, golang . org /x/net @ v0.36.0 and others
- Fixed in
go@1.56.3, @1.57.1, @1.58.3
What version is this? How do I fix the vulnerabilities?