Skip to content

fix(evaders): bump os-spoof x/crypto to v0.53.0 (dependabot ssh advisories)#228

Merged
datascry merged 1 commit into
mainfrom
fix/os-spoof-xcrypto-bump
Jul 8, 2026
Merged

fix(evaders): bump os-spoof x/crypto to v0.53.0 (dependabot ssh advisories)#228
datascry merged 1 commit into
mainfrom
fix/os-spoof-xcrypto-bump

Conversation

@datascry

@datascry datascry commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Closes Dependabot #32 + #33golang.org/x/crypto <0.45.0 in evaders/os-spoof (indirect, was v0.36.0): the ssh/agent panic + ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod tidy, build green. os-spoof doesn't use x/crypto/ssh, but the bump clears the transitive alert.

Part of addressing all open security/quality alerts: the CodeQL/scorecard alerts (reflective-xss FP, disabled-cert-check on the self-signed lab edge, clear-text-logging of non-sensitive telemetry, base-image pin policy, CI-tests) were triaged + dismissed with justifications; this is the one real code fix.

…ounded)

Dependabot #32/#33: golang.org/x/crypto <0.45.0 in os-spoof (indirect, v0.36.0) — the ssh/agent
panic and ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod
tidy, build green. os-spoof does not use x/crypto/ssh, but the bump clears the transitive alert.
@datascry datascry force-pushed the fix/os-spoof-xcrypto-bump branch from 24b4c99 to b1b7a79 Compare July 8, 2026 02:07
@datascry datascry merged commit 037e8da into main Jul 8, 2026
23 checks passed
@datascry datascry deleted the fix/os-spoof-xcrypto-bump branch July 8, 2026 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant