The latest release of gosu 1.14 is based on go version 1.16. Quite a few CVEs have been fixed since that go version, could you please do a release based on the go version 1.19.
Sorry, this is a duplicate of #106 and #116 -- please see #104.
(Any CVE scanner reporting CVEs in the published binaries of gosu are likely reporting false positives; I maintain the list in #104 so that they can be reported to the relevant vendor to be flagged appropriately.)