fix: Upgrade filippo.io/edwards25519 to v1.2.0 for CVE-2026-26958#389
fix: Upgrade filippo.io/edwards25519 to v1.2.0 for CVE-2026-26958#389
Conversation
There was a problem hiding this comment.
Pull request overview
This PR upgrades the indirect Go dependency filippo.io/edwards25519 to remediate CVE-2026-26958 (GHSA-fw7p-63qq-7hpr), addressing incorrect MultiScalarMult results in affected versions.
Changes:
- Bump
filippo.io/edwards25519fromv1.1.0tov1.2.0(indirect) ingo.mod. - Update corresponding
go.sumentries to match the new module version and checksums.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates the indirect requirement for filippo.io/edwards25519 to v1.2.0. |
| go.sum | Refreshes checksums for filippo.io/edwards25519 v1.2.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 3 changed files in this pull request and generated 3 comments.
Files not reviewed (1)
- web/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "engines": { | ||
| "node": ">=20" | ||
| }, |
There was a problem hiding this comment.
naive-ui now declares engines: { node: ">=20" }, effectively raising the minimum Node.js version for the frontend. Since web/package.json does not declare an engines constraint, this requirement may surprise users and cause npm ci failures on older Node versions. Consider adding an explicit Node version requirement for the project (or pinning naive-ui to a version compatible with your supported Node range).
关联 Issue / Related Issue
Closes https://github.com/tbphp/gpt-load/security/dependabot/17
变更内容 / Change Content
升级间接依赖
filippo.io/edwards25519从 v1.1.0 到 v1.2.0,修复 CVE-2026-26958(GHSA-fw7p-63qq-7hpr)安全漏洞。Upgrade indirect dependency
filippo.io/edwards25519from v1.1.0 to v1.2.0 to fix CVE-2026-26958 (GHSA-fw7p-63qq-7hpr) security vulnerability. The vulnerability causesMultiScalarMultto produce invalid results when receiver is not the identity point.自查清单 / Checklist