Dependency versions

Hi,

I’m the maintainer of mail/mailslurper port.
I’m working on updating the port now, and I ran govulncheck on the
work source as part of that.

govulncheck found 4 vulnerabilities in 3 modules. The upstream release
is from 2023 (I know… I missed it…).
My question is, should I update the modules in the port, report it to upstream
and wait for upstream to update go.mod or both? Is it kosher for a port
to update dependencies out-of-sync with upstream?

.einar