Update golang.org/x/crypto to address security vulnerabilities

[sebrandon1]

⚠️ Outdated golang.org/x/crypto Dependency

This repository is currently using golang.org/x/crypto v0.42.0 but the latest version is v0.47.0.

Last scanned: 2026-01-22 06:22 UTC

Why Update?

Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.

🔒 Security Vulnerabilities Fixed in Newer Versions

The following CVEs have been addressed in versions after v0.42.0:

• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

🤖 Recommendation: Enable Dependabot

This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your go.mod dependencies up-to-date and receive security alerts.

To enable Dependabot, create a .github/dependabot.yml file:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10

See GitHub Dependabot documentation for more details.

📋 How to Update

Run the following command to update:

go get golang.org/x/crypto@v0.47.0
go mod tidy

Then run your tests and submit a PR with the changes.

🔗 Central Tracking

This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.

See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59

---

This issue is automatically managed by the xcrypto-lookup.sh scanner.

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.42.0, which is outdated. The latest version is v0.46.0.

Security Vulnerabilities to Address

• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.42.0, which is outdated. The latest version is v0.47.0.

Security Vulnerabilities to Address

• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.42.0, which is outdated. The latest version is v0.47.0.

Security Vulnerabilities to Address

• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-ci]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale