upgrade golang.org/x/net package to fix CVE-2024-45338

My investigation indicates that neither our code, nor our dependencies use the functions in question, but at the same time, the impact of upgrading them is minimal, so it feels like the less risky path to just upgrade and not have to worry. BACK-3353
tidepool-org · Jan 29, 2025 · 00a4ae2 · 00a4ae2
1 parent 6102734
commit 00a4ae2
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 6 deletions.
diff --git a/go.mod b/go.mod
@@ -28,11 +28,11 @@ require (
 	github.com/urfave/cli v1.22.15
 	go.mongodb.org/mongo-driver v1.16.0
 	go.uber.org/fx v1.22.1
-	golang.org/x/crypto v0.24.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
 	golang.org/x/oauth2 v0.21.0
-	golang.org/x/sync v0.7.0
+	golang.org/x/sync v0.10.0
 	golang.org/x/tools v0.22.0
 	gonum.org/v1/gonum v0.15.0
 	google.golang.org/grpc v1.65.0
@@ -98,10 +98,10 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240624140628-dc46fd24d27d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240624140628-dc46fd24d27d // indirect
 	google.golang.org/protobuf v1.34.2 // indirect