mirror of https://github.com/tailscale/tailscale/
go.mod: update github.com/ulikunitz/xz for https://github.com/advisories/GHSA-25xm-hr59-7c27
Our code is not vulnerable to the issue in question: it only happens in the decompression path for untrusted inputs, and we only use xz as part of mkpkg, which is write-only and operates on trusted build system outputs to construct deb and rpm packages. Still, it's nice to keep the dependabot dashboard clean. Signed-off-by: David Anderson <danderson@tailscale.com>pull/2787/head
parent
99a1c74a6a
commit
b96159e820
Loading…
Reference in New Issue