From c1ad6ad4c6f2319edce2258bc4447b51378d6e21 Mon Sep 17 00:00:00 2001 From: Rahul Malhan Date: Wed, 27 May 2026 13:06:19 +0530 Subject: [PATCH] chore(deps): bump filippo.io/edwards25519 from v1.1.0 to v1.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remediates GHSA-fw7p-63qq-7hpr / CVE-2026-26958 (low severity) flagged by CodeQL in NR-560127. Affected `MultiScalarMult` returns invalid results when the receiver is not the identity element. `filippo.io/edwards25519` is an indirect, test-time transitive dependency: nri-postgresql/src/connection → sqlx → sqlx.test → go-sql-driver/mysql → filippo.io/edwards25519. The integration itself does not invoke the affected path; the bump removes the flagged version from go.sum. Verified: `go test -race ./...` passes locally. Refs: NR-560127, https://github.com/advisories/GHSA-fw7p-63qq-7hpr Co-Authored-By: Claude Opus 4.7 (1M context) --- go.mod | 1 + go.sum | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 356463d6..1817dbd2 100644 --- a/go.mod +++ b/go.mod @@ -15,6 +15,7 @@ require ( ) require ( + filippo.io/edwards25519 v1.1.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/kr/text v0.2.0 // indirect github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect diff --git a/go.sum b/go.sum index 422c0907..d279f5cc 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,6 @@ -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= +filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=