go.mod: update github.com/ulikunitz/xz for https://github.com/advisories/GHSA-25xm-hr59-7c27

Our code is not vulnerable to the issue in question: it only happens in the decompression path for untrusted inputs, and we only use xz as part of mkpkg, which is write-only and operates on trusted build system outputs to construct deb and rpm packages. Still, it's nice to keep the dependabot dashboard clean. Signed-off-by: David Anderson <danderson@tailscale.com>
2025-11-01 22:22:12 +00:00 · 2021-09-02 13:09:12 -07:00
parent 99a1c74a6a
commit b96159e820
2 changed files with 3 additions and 1 deletions
--- a/go.mod
+++ b/go.mod
@@ -36,6 +36,7 @@ require (
 	github.com/tailscale/hujson v0.0.0-20200924210142-dde312d0d6a2
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
+	github.com/ulikunitz/xz v0.5.10 // indirect
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
 	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
 	golang.org/x/net v0.0.0-20210614182718-04defd469f4e