* Zdenek Dohnal via golang:
Once CVE fix comes into golang and new golang version is released, presence of the older version in buildrequires of other package will indicate the package includes vulnerable code, and it has to be rebuilt once the original package includes a fix.
A different way to do this would involve a dependency generator that looks at “go version -m” output like this:
dep golang.org/x/crypto v0.32.0 dep golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 dep golang.org/x/mod v0.22.0 dep golang.org/x/net v0.34.0 dep golang.org/x/oauth2 v0.25.0 dep golang.org/x/sync v0.10.0 dep golang.org/x/sys v0.29.0 dep golang.org/x/term v0.28.0 dep golang.org/x/text v0.21.0 dep golang.org/x/time v0.9.0
And generates the usual Provides: from that:
Provides: bundled(golang.org/x/crypto) = v0.32.0 Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329 Provides: bundled(golang.org/x/mod) = v0.22.0 Provides: bundled(golang.org/x/net) = v0.34.0 Provides: bundled(golang.org/x/oauth2) = v0.25.0 Provides: bundled(golang.org/x/sync) = v0.10.0 Provides: bundled(golang.org/x/sys) = v0.29.0 Provides: bundled(golang.org/x/term) = v0.28.0 Provides: bundled(golang.org/x/text) = v0.21.0 Provides: bundled(golang.org/x/time) = v0.9.0
This data might be easier to query.
Thanks, Florian