A check of the vendor.tar.gz shows that the potential unsafe function ServerConfig.PublicKeyCallback is not used by restic. So we shall be safe here. Simply updating to golang.org/x/crypto v0.31.0 anyway does not work. An update to a newer restix version would work, but that's exaggerated considering the fact above. If there are no objections, we shall close this bug.