Skip to content

Update deps#279

Open
TomHennen wants to merge 2 commits into
carabiner-dev:mainfrom
TomHennen:update_deps
Open

Update deps#279
TomHennen wants to merge 2 commits into
carabiner-dev:mainfrom
TomHennen:update_deps

Conversation

@TomHennen
Copy link
Copy Markdown

@TomHennen TomHennen commented May 31, 2026

Fixes a few CVEs being reported by OSV scanner.

Dependency From To Cleared
golang.org/x/crypto v0.50.0 v0.52.0 13 CVEs — SSH auth/cert-restriction/FIDO bypass, server panics & DoS: CVE-2026-39827, -39828, -39829, -39830, -39831, -39832, -39833, -39834, -39835, -42508, -46595, -46597, -46598
golang.org/x/net v0.53.0 v0.55.0 6 CVEs — HTML XSS, IDNA/Punycode, DoS: CVE-2026-25680, -25681, -27136, -39821, -42502, -42506
golang.org/x/sys v0.43.0 v0.45.0 CVE-2026-39824
github.com/go-git/go-git/v5 v5.18.0 v5.19.1 CVE-2026-45022, -45570, -45571, GHSA-w5pp-99ch-qj29 — SSH command injection, .git path traversal, object-parsing DoS
github.com/go-git/go-billy/v5 v5.8.1-pre v5.9.0 CVE-2026-44740, -44973 — path traversal, symlink-loop DoS
github.com/sigstore/gitsign v0.14.1-pre v0.16.0 CVE-2026-44310, -44309 — --verify exit-0-on-panic bypass + trust confusion
github.com/in-toto/in-toto-golang v0.10.0 v0.11.0 GHSA-pmwq-pjrm-6p5r — glob-negation policy bypass

TomHennen added 2 commits May 31, 2026 07:32
@TomHennen
Update deps to fix some CVEs.
54f62c7 
Signed-off-by: Tom Hennen <tomhennen@Toms-MBP.localdomain>
@TomHennen
update intoto-golang
d38138d 
Signed-off-by: Tom Hennen <tom.hennen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TomHennen