Is github.com/hashicorp/go-getter safe to use?

github.com/hashicorp/go-getter has 5 known vulnerabilities on the latest version (v1.8.6). DepScope rates its health at 48/100 (high risk).

What is the latest version of github.com/hashicorp/go-getter?

The latest version of github.com/hashicorp/go-getter is v1.8.6, released 2026-04-02.

Yes. github.com/hashicorp/go-getter has 5 known vulnerabilities. See depscope.dev/pkg/go/github.com/hashicorp/go-getter for details.

No, github.com/hashicorp/go-getter is actively maintained. Latest release: v1.8.6 (2026-04-02).

DepScope has no curated alternatives for github.com/hashicorp/go-getter at this time.

github.com/hashicorp/go-getter is licensed under MPL-2.0.

govv1.8.6

Package for downloading things from a string URL using a variety of protocols.

License MPL-2.0weak copyleft43 versions109 maintainers0 deps1,815 weekly dl

/ 100

Health

do not use

github.com/hashicorp/go-getter has critical vulnerabilities — do not use

Update to >= 2.1.0 to fix known vulnerabilities

Health breakdown0 – 100

25/25

maintenance

6/20

popularity

0/25

security

12/15

maturity

5/15

community

Vulnerabilities

1 critical3 high1 low

Advisories (5)

Severity	ID	Summary	Fixed in
high	CVE-2022-26945	HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion	2.1.0
high	CVE-2022-26945	HashiCorp go-getter unsafe downloads could lead to arbitrary host access	2.1.0
high	CVE-2022-26945	HashiCorp go-getter unsafe downloads	2.1.0
critical	CVE-2022-26945	HashiCorp go-getter command injection	2.1.0
unknown	CVE-2022-26945	Resource exhaustion in github.com/hashicorp/go-getter and related modules	2.1.0

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/hashicorp/go-getter

Last updated · 2026-04-02T06:32:15Z