Fix Outdated Go Module Dependencies Go
Scan go.mod for CVEs and get a patched version. Fix vulnerable Go modules — no govulncheck CLI needed.
⚠ The Problem
go list -m all shows all modules but doesn't flag CVEs. govulncheck requires CLI installation and doesn't output a patched go.mod.
Bad Configuration — go.mod
module myapp
go 1.21
require (
github.com/gin-gonic/gin v1.7.0
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
)
Fixed Configuration — go.mod
module myapp
go 1.21
require (
github.com/gin-gonic/gin v1.9.1
golang.org/x/net v0.23.0
)
✓ Fix
gin v1.7.0 (CVE-2023-29401). golang.org/x/net old commit hash has multiple CVEs. Update to safe versions above. After updating, run go mod tidy.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan go.mod for CVEs without govulncheck?
Paste your go.mod into PackageFix. It queries the OSV Go advisory database live.
What are Go pseudo-versions and are they safe?
Pseudo-versions (v0.0.0-20210405180319-...) reference specific commits. They can be vulnerable if the commit predates a security fix. PackageFix flags these.
How do I update a specific Go module?
Run go get github.com/module@v1.2.3, then go mod tidy to clean up.
Does PackageFix support go.sum?
go.sum is a checksum file, not a version manifest. PackageFix scans go.mod for CVEs — go.sum scanning is not needed for vulnerability detection.