Vulnerability of dependency "golang.org/x/net"

[Silence-worker-02]

Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that it contains a vulnerability (CVE-2022-41723, CVE-2022-41717, CVE-2022-27664). In your project, the golang.org/x/net package is being used at version golang.org/x/net v0.0.0-20220722155237-a158d28d115b, but the patched version is v0.7.0. To fix the vulnerability, we recommend modifying the go.mod file to update the version to v0.7.0 or higher. Thank you for your attention to this matter.

[Jacalz]

Hello. Thanks for notifying us but we are entirely aware of the fact that the package has vulnerabilities. As mentioned in #4073 (comment), all of our development happens in the develop branch and the package has already been updated there. The next release is just a couple of weeks away at this point.

[Jacalz]

It is also worth mentioning that we do have the security advisories feature on GitHub enabled. We do get notifications for security issues.

On top of that, the package also required a newer Go version than our previous minimum so it could not be updated. However, it should likely not be a huge issue as our usage of the net package is very minimal. I think that most, if not all, developers using Fyne should not be affected by these vulnerabilities.