Skip to content

Update Dependencies#88

Merged
josue merged 2 commits intomainfrom
update_deps_feb
Feb 27, 2026
Merged

Update Dependencies#88
josue merged 2 commits intomainfrom
update_deps_feb

Conversation

@josue
Copy link
Collaborator

@josue josue commented Feb 27, 2026
edited
Loading

Description

Upgrade Go module dependencies and fix Snyk security vulnerabilities in golang.org/x/crypto/ssh and golang.org/x/crypto/ssh/agent.

Dependency upgrades:

  • ariga.io/atlas v1.0.0 → v1.1.0
  • github.com/99designs/gqlgen v0.17.86 → v0.17.87
  • github.com/mattn/go-sqlite3 v1.14.33 → v1.14.34
  • github.com/sosodev/duration v1.3.1 → v1.4.0
  • github.com/vektah/gqlparser/v2 v2.5.31 → v2.5.32
  • github.com/zclconf/go-cty v1.17.0 → v1.18.0
  • golang.org/x/exp, golang.org/x/mod, golang.org/x/text, golang.org/x/tools (minor bumps)

Security fix:

  • Pinned golang.org/x/crypto v0.48.0 in both go.mod and _examples/go.mod to remediate:
  • SNYK-GOLANG-GOLANGORGXCRYPTOSSH-14059803 (Allocation of Resources Without Limits or Throttling)
  • SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-14059804 (Out-of-bounds Read)

Motivation and Context

Resolves Snyk security vulnerabilities reported.

The vulnerable golang.org/x/crypto@v0.38.0 was pulled in transitively by hashicorp/hcl/v2@v2.24.0. Fixed in golang.org/x/crypto@v0.45.0+ (GO-2025-4134, GO-2025-4135).

How Has This Been Tested?

  • make test — all tests pass
  • Verified golang.org/x/crypto resolves to v0.48.0 in both modules via go list -m

Screenshots (if appropriate):

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation (update or addition to documentation for this project)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@flume-bot
Copy link

flume-bot commented Feb 27, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@josue josue marked this pull request as ready for review February 27, 2026 21:31
@josue josue requested a review from caseyh as a code owner February 27, 2026 21:31
corvramirez
corvramirez approved these changes Feb 27, 2026
View reviewed changes
Copy link
Collaborator

@corvramirez corvramirez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GTLM

@josue josue merged commit 71ebc54 into main Feb 27, 2026
8 checks passed
@josue josue deleted the update_deps_feb branch February 27, 2026 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corvramirez corvramirez corvramirez approved these changes

@caseyh caseyh Awaiting requested review from caseyh caseyh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@josue @flume-bot @corvramirez