Using go get to fetch a module with the .git suffix may unexpectedly fallback to the insecure git:// protocol if the module is unavailable via the secure https:// and git+ssh:// protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Name | Vendor | Start Version | End Version |
---|---|---|---|
Go | Golang | * | 1.20.12 (excluding) |
Go | Golang | 1.21.0-0 (including) | 1.21.5 (excluding) |