filippo.io/edwards25519 has a vulnerability GO-2026-4503.vulncheck imports

[twocs]

Scanning my go.mod file revealed the following problem caused by indirect loading from go-sql-driver/mysql:

filippo.io/edwards25519 has a vulnerability GO-2026-4503.vulncheck imports
filippo.io/edwards25519
Note: The project imports packages with known vulnerabilities. Use govulncheck to check if the project uses vulnerable symbols.

GO-2026-4503 Invalid result or undefined behavior in filippo.io/edwards25519
filippo.io/edwards25519 Fixed in v1.1.1.
This module is necessary because filippo.io/edwards25519 is imported in:

• apod/apod-backend-api/database
  -- github.com/go-sql-driver/mysql

---

I assume the easy fix is just a matter of updating the version to 1.1.1, and can be completed without any issue. Note that 1.1.1 is three years old and there's now a 1.2.0 version

However I note that filippo.io/edwards25519 readme states:

Most users don't need this package, and should instead use crypto/ed25519 for signatures, crypto/ecdh for Diffie-Hellman, or github.com/gtank/ristretto255 for prime order group logic.

Therefore, a better fix might be to remove filippo.io/edwards25519 altogether.

[twocs]

I didn't find this listed as an issue, but after writing the above issue, I found that last week @williamhaw created a pull request for this exact issue:
#1749
It was merged into master by @shogo82148 so this issue can be closed if it makes it into a release.

[methane]

Is there any documentation that explains what Go library maintainers should do in such cases?

Is it really necessary for all libraries that directly or indirectly depend on a library to perform a minor version update for a security update of that one library?

Ideally, libraries should only declare a minimum required version, and go get should automatically select the necessary version to avoid security issues.

[methane]

GHSA-fw7p-63qq-7hpr

Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck.