fix: dependency_updater security and error wrapping

Author: Kewe63

dependency_updater/dependency_updater.go

@@ -86,12 +86,25 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro
 	// Sanitize repoPath to prevent path traversal (CWE-22)
 	repoPath, err = filepath.Abs(filepath.Clean(repoPath))
 	if err != nil {
-		return fmt.Errorf("error resolving repo path: %s", err)
+		return fmt.Errorf("error resolving repo path: %w", err)
+	}
+
+	// Ensure the resolved path stays within the workspace (CWE-22)
+	base := os.Getenv("GITHUB_WORKSPACE")
+	if base != "" {
+		absBase, err := filepath.Abs(base)
+		if err != nil {
+			return fmt.Errorf("error resolving workspace base path: %w", err)
+		}
+		rel, err := filepath.Rel(absBase, repoPath)
+		if err != nil || strings.HasPrefix(rel, "..") {
+			return fmt.Errorf("security error: repo path '%s' is outside of workspace '%s'", repoPath, absBase)
+		}
 	}
 
 	f, err := os.ReadFile(filepath.Join(repoPath, "versions.json"))
 	if err != nil {
-		return fmt.Errorf("error reading versions JSON: %s", err)
+		return fmt.Errorf("error reading versions JSON: %w", err)
 	}
 
 	client := github.NewClient(nil).WithAuthToken(token)