govulncheck reports GO-2026-5932 because github.com/creativeprojects/go-selfupdate imports unmaintained golang.org/x/crypto/openpgp. No upstream fixed version exists.
CI has a narrowly scoped exception for this advisory so actionable vulnerabilities still fail builds.
Replace or redesign updater signature verification using a maintained implementation without weakening release authenticity checks.
Reference: https://pkg.go.dev/vuln/GO-2026-5932
govulncheckreports GO-2026-5932 becausegithub.com/creativeprojects/go-selfupdateimports unmaintainedgolang.org/x/crypto/openpgp. No upstream fixed version exists.CI has a narrowly scoped exception for this advisory so actionable vulnerabilities still fail builds.
Replace or redesign updater signature verification using a maintained implementation without weakening release authenticity checks.
Reference: https://pkg.go.dev/vuln/GO-2026-5932