I just ran #govulncheck on all of #pkgsrc, and there are a lot more vulnerable packages than I thought :(
I started fixing the #govulncheck finds in #pkgsrc. Some of these have no fix upstream!
@bentsukun soo, do I guess right that it needs the output of a make patch of a go package to check it?
And only works on go packages?
@spz Yes, exactly. But on the plus side, it does static analysis to check if any of the vulnerable code is actually called.