Hi @mattfarina,
Following up on #436 — the master branch has accumulated several useful commits since v3.3.0 (Aug 2024) that many downstream projects are waiting on, most notably:
PR #435 / PR #427: bump golang.org/x/crypto from v0.26.0 to v0.40.0+, patching vulnerability GO-2024-3321 (CVE-2024-45337)
PR #451: general dependency updates (merged Jul 2025)
PR #413: SHA support for htpasswd
Several downstream projects (including ours) are being flagged by OSS compliance scanners because sprig's declared golang.org/x/crypto v0.26.0 in its go.mod is below the patched threshold, even when the resolved version in the consuming project is already patched. The only clean fix for this class of scanner finding is an official tagged release.
We understand maintenance time is limited. Even a minimal release that just bumps the dependency tree (no new functions, no breaking changes) would unblock a large number of projects.
Would you be open to cutting a v3.3.1 or v3.4.0 tag from the current master?
Thank you for maintaining this widely-used library.
Hi @mattfarina,
Following up on #436 — the master branch has accumulated several useful commits since v3.3.0 (Aug 2024) that many downstream projects are waiting on, most notably:
PR #435 / PR #427: bump golang.org/x/crypto from v0.26.0 to v0.40.0+, patching vulnerability GO-2024-3321 (CVE-2024-45337)
PR #451: general dependency updates (merged Jul 2025)
PR #413: SHA support for htpasswd
Several downstream projects (including ours) are being flagged by OSS compliance scanners because sprig's declared golang.org/x/crypto v0.26.0 in its go.mod is below the patched threshold, even when the resolved version in the consuming project is already patched. The only clean fix for this class of scanner finding is an official tagged release.
We understand maintenance time is limited. Even a minimal release that just bumps the dependency tree (no new functions, no breaking changes) would unblock a large number of projects.
Would you be open to cutting a v3.3.1 or v3.4.0 tag from the current master?
Thank you for maintaining this widely-used library.