Nancy marking downstream dependency as vulnerable

[alxmk]

Issues with pkg:golang/github.com/mitchellh/mapstructure@v1.5.0
CVE-2025-11065
Description: github.com/go-viper/mapstructure - Generation of Error Message Containing Sensitive Information
Score: 5.3

% go mod why github.com/mitchellh/mapstructure
# github.com/mitchellh/mapstructure
<my package>
github.com/IBM/go-sdk-core/v5/core
github.com/go-openapi/strfmt
github.com/mitchellh/mapstructure

As of v5.21.0 (latest) this is an issue.

[alxmk]

This appears to be resolved in github.com/go-openapi/strfmt v0.24.0:

https://github.com/go-openapi/strfmt/blob/v0.24.0/go.mod

versus v0.23.0:

https://github.com/go-openapi/strfmt/blob/v0.23.0/go.mod