Viper spf13/pflag dependency is not updated to latest available version from long time

Preflight Checklist

• [x] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [x] I am not looking for support or already pursued the available support channels without success.
• [x] I have checked the troubleshooting guide for my problem, without success.

Viper Version

1.19.0

Go Version

1.21

Config Source

Files

Format

No response

Repl.it link

No response

Code reproducing the issue

Expected Behavior

This repository should not use dependency which is not updated from long time even if latest version is available. this can help in avoiding compliance and security risk for users.

Actual Behavior

current version 1.19.0 of viper does not use latest version of dependency spf13/pflag which is 1.0.6

Steps To Reproduce

No response

Additional Information

No response

Comment From: thaJeztah

Go modules use Minimum Version Selection; library modules are generally expected to specify the most minimum version required to use the project, allowing users of the module to use any SemVer compatible version higher than that.

Are there any security issues with the v1.0.5 version in the current release?

Note that the dependency is already updated in the repository (but not yet in a tagged release);

• https://github.com/spf13/viper/pull/1979

Comment From: bitspill

pflag 1.0.6 was included in release 1.20.0 yesterday

https://github.com/spf13/viper/releases/tag/v1.20.0

Comment From: github-actions[bot]

Issues with no activity for 30 days are marked stale and subject to being closed.