Latest released azidentity still uses outdated x/crypto #23878
Assignees
Labels
Azure.Identity
Client
This issue points to a problem in the data-plane of the library.
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
needs-team-attention
Workflow: This issue needs attention from Azure service team or SDK team
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Comments
github-actions
bot
added
Azure.Identity
Client
|
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
github-project-automation
bot
moved this to Untriaged
in Azure Identity SDK Improvements
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The latest release for azidentity is 1.8.0 (from october) and still uses x/crypto v0.27: https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.8.0/sdk/azidentity/go.mod#L14
Version 0.31 contains a security fix (golang/crypto@b4f1988) and our vulnerability scanning alerts us on that outdated indirect dependency.
You already bumped to 0.31 in https://github.com/Azure/azure-sdk-for-go/blame/main/sdk/azidentity/go.mod, so could you please release a new version of azidentity? Thank you
The text was updated successfully, but these errors were encountered: