go-libp2p currently has an indirect dependency on pion/dtls/v2 which has a known vulnerability, CVE-2026-26014. In order to resolve this vulnerability, I believe the direct pion/* dependencies need to be updated. I want to check in and ask if the go-libp2p team is aware of this?
I tried to update the direct pion/* dependencies locally and the APIs are compatible. However, I noticed the TestWebRTCReuseAddrWithQUIC test fails after this upgrade.
Thank you for the help!
go-libp2pcurrently has an indirect dependency onpion/dtls/v2which has a known vulnerability, CVE-2026-26014. In order to resolve this vulnerability, I believe the directpion/*dependencies need to be updated. I want to check in and ask if thego-libp2pteam is aware of this?I tried to update the direct
pion/*dependencies locally and the APIs are compatible. However, I noticed theTestWebRTCReuseAddrWithQUICtest fails after this upgrade.Thank you for the help!