chore(deps): bump the gomod group across 1 directory with 19 updates#735
chore(deps): bump the gomod group across 1 directory with 19 updates#735dependabot[bot] wants to merge 1 commit into
Conversation
Kusari Analysis Results:Caution Flagged Issues Detected The code analysis returned zero findings across all scanned files, indicating clean code changes with no exposed secrets or workflow issues. However, the dependency analysis identified significant vulnerabilities in two indirect dependencies that warrant attention before merging. golang.org/x/crypto is pinned at v0.46.0 and carries 13 active advisories, including authentication bypasses (CVE-2026-42508, CVE-2026-46595, CVE-2026-39828), server panics (CVE-2026-46597, CVE-2026-39835), DoS vectors via memory leaks and pathological RSA/DSA parameters (CVE-2026-39827, CVE-2026-39829), a server deadlock (CVE-2026-39830), and a FIDO/U2F physical interaction bypass (CVE-2026-39831), among others. The fixed version is v0.53.0. Additionally, golang.org/x/sys v0.43.0 contains an integer overflow in NewNTUnicodeString on Windows (CVE-2026-39824) that can cause silent data corruption or security bypasses; the fixed version is v0.46.0. Both packages have known safe versions readily available. We strongly recommend pinning these dependencies before merging by running: go get golang.org/x/crypto@v0.53.0 and go get golang.org/x/sys@v0.46.0, and adding explicit entries in go.mod to override the transitive versions. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
Bumps the gomod group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) | `0.9.0` | `0.11.0` | | [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.22.0` | `1.23.2` | | [github.com/yannh/kubeconform](https://github.com/yannh/kubeconform) | `0.7.0` | `0.8.0` | | [go.uber.org/zap](https://github.com/uber-go/zap) | `1.27.0` | `1.28.0` | | [atomicgo.dev/keyboard](https://github.com/atomicgo/keyboard) | `0.2.9` | `0.2.10` | | [github.com/gookit/color](https://github.com/gookit/color) | `1.6.0` | `1.6.1` | | [github.com/prometheus/procfs](https://github.com/prometheus/procfs) | `0.17.0` | `0.20.1` | Updates `github.com/in-toto/in-toto-golang` from 0.9.0 to 0.11.0 - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.9.0...v0.11.0) Updates `github.com/prometheus/client_golang` from 1.22.0 to 1.23.2 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.22.0...v1.23.2) Updates `github.com/spf13/cobra` from 1.9.1 to 1.10.2 - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.9.1...v1.10.2) Updates `github.com/yannh/kubeconform` from 0.7.0 to 0.8.0 - [Release notes](https://github.com/yannh/kubeconform/releases) - [Commits](yannh/kubeconform@v0.7.0...v0.8.0) Updates `go.uber.org/zap` from 1.27.0 to 1.28.0 - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.27.0...v1.28.0) Updates `atomicgo.dev/keyboard` from 0.2.9 to 0.2.10 - [Release notes](https://github.com/atomicgo/keyboard/releases) - [Commits](atomicgo/keyboard@v0.2.9...v0.2.10) Updates `github.com/gookit/color` from 1.6.0 to 1.6.1 - [Release notes](https://github.com/gookit/color/releases) - [Commits](gookit/color@v1.6.0...v1.6.1) Updates `github.com/mattn/go-runewidth` from 0.0.20 to 0.0.23 - [Commits](mattn/go-runewidth@v0.0.20...v0.0.23) Updates `github.com/prometheus/common` from 0.65.0 to 0.66.1 - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/CHANGELOG.md) - [Commits](prometheus/common@v0.65.0...v0.66.1) Updates `github.com/prometheus/procfs` from 0.17.0 to 0.20.1 - [Release notes](https://github.com/prometheus/procfs/releases) - [Commits](prometheus/procfs@v0.17.0...v0.20.1) Updates `github.com/secure-systems-lab/go-securesystemslib` from 0.9.0 to 0.10.0 - [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases) - [Commits](secure-systems-lab/go-securesystemslib@v0.9.0...v0.10.0) Updates `github.com/spf13/pflag` from 1.0.7 to 1.0.10 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.7...v1.0.10) Updates `go.yaml.in/yaml/v2` from 2.4.2 to 2.4.4 - [Commits](yaml/go-yaml@v2.4.2...v2.4.4) Updates `golang.org/x/crypto` from 0.40.0 to 0.46.0 - [Commits](golang/crypto@v0.40.0...v0.46.0) Updates `golang.org/x/sys` from 0.41.0 to 0.43.0 - [Commits](golang/sys@v0.41.0...v0.43.0) Updates `golang.org/x/term` from 0.40.0 to 0.42.0 - [Commits](golang/term@v0.40.0...v0.42.0) Updates `golang.org/x/text` from 0.34.0 to 0.37.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.34.0...v0.37.0) Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.11 Updates `sigs.k8s.io/yaml` from 1.5.0 to 1.6.0 - [Release notes](https://github.com/kubernetes-sigs/yaml/releases) - [Changelog](https://github.com/kubernetes-sigs/yaml/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/yaml@v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: atomicgo.dev/keyboard dependency-version: 0.2.10 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/gookit/color dependency-version: 1.6.1 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/mattn/go-runewidth dependency-version: 0.0.23 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/prometheus/client_golang dependency-version: 1.23.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/prometheus/common dependency-version: 0.66.1 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/prometheus/procfs dependency-version: 0.20.1 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/secure-systems-lab/go-securesystemslib dependency-version: 0.10.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/spf13/cobra dependency-version: 1.10.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.10 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/yannh/kubeconform dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: go.uber.org/zap dependency-version: 1.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: go.yaml.in/yaml/v2 dependency-version: 2.4.4 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.46.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/sys dependency-version: 0.43.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.42.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/text dependency-version: 0.37.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.11 dependency-type: indirect update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/yaml dependency-version: 1.6.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>
c6b08d3 to
3c486b0
Compare
|
Kusari PR Analysis rerun based on - 3c486b0 performed at: 2026-06-15T06:04:56Z - link to updated analysis |
Bumps the gomod group with 7 updates in the / directory:
0.9.00.11.01.22.01.23.20.7.00.8.01.27.01.28.00.2.90.2.101.6.01.6.10.17.00.20.1Updates
github.com/in-toto/in-toto-golangfrom 0.9.0 to 0.11.0Release notes
Sourced from github.com/in-toto/in-toto-golang's releases.
... (truncated)
Commits
36d782fMerge pull request #462 from in-toto/fix-negation-character4a09e3bmatch: Replace ^ with ! for negation in character classesc3302e8Merge pull request #459 from in-toto/dependabot/go_modules/github.com/go-jose...016e87echore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.45b9df76Merge pull request #457 from in-toto/dependabot/go_modules/google.golang.org/...595b3fechore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3e396d24Merge pull request #452 from in-toto/dependabot/github_actions/all-502588e1ca142b779Merge pull request #453 from in-toto/dependabot/go_modules/all-d8ef5820aaf741bccchore(deps): bump the all group with 2 updatesc374dc9chore(deps): bump the all group across 1 directory with 2 updatesUpdates
github.com/prometheus/client_golangfrom 1.22.0 to 1.23.2Release notes
Sourced from github.com/prometheus/client_golang's releases.
... (truncated)
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
8179a56Cut v1.23.2 (#1870)4142b59Merge pull request #1869 from prometheus/arve/upgrade-common4ff40f0Cut v1.23.1 (#1867)989b029Upgrade to prometheus/common v0.66 (#1866)e4b2208Cut v1.23.0 (#1848)d9492afcut v1.23.0-rc.1 (#1842)aeae8a0Cut v1.23.0-rc.0 (#1837)b157309Update common Prometheus files (#1832)a704e28build(deps): bump the github-actions group with 3 updates (#1826)c774311Fix errNotImplemented reference (#1835)Updates
github.com/spf13/cobrafrom 1.9.1 to 1.10.2Release notes
Sourced from github.com/spf13/cobra's releases.
... (truncated)
Commits
88b30abchore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#2336)346d408fix: actions/setup-go v6 (#2337)fc81d20refactor: change minUsagePadding from var to const (#2325)117698arefactor: replace several vars with consts (#2328)e2dd29dAdd documentation for repeated flags functionality (#2316)0629892Fix linter (#2327)7da941cchore: Bump pflag to v1.0.9 (#2305)51d6751Bump pflag to 1.0.8 (#2303)3f3b818Update README.md with new logodcaf42eAdd Periscope to the list of projects using Cobra (#2299)Updates
github.com/yannh/kubeconformfrom 0.7.0 to 0.8.0Release notes
Sourced from github.com/yannh/kubeconform's releases.
Commits
02374e5Update README (#360)1f6792cSmall fixes, better sanitization (#359)e5c533bfix: update duration validation to use strfmt package (#348)ab97ec7Update deps, make sure we use vendored dependencies (#358)b83bf79Openapi2jsonschema-go (#357)8e634e1fix: avoid panic when a schema document decodes to null (#356)d412494Read resources from multiple workers (#354)e608924Fix typo (#339)c7f8490fix: Github -> GitHub (#340)Updates
go.uber.org/zapfrom 1.27.0 to 1.28.0Release notes
Sourced from go.uber.org/zap's releases.
Changelog
Sourced from go.uber.org/zap's changelog.
Commits
5b81b37release v1.28.0 (#1547)0ab0d5azapcore: Add PreWriteHook for transforming entries before write (#1534)d278c59[chore] CI: test on Go 1.26 (#1535)16fb16bchore(dep): replace archived gopkg.in/yaml.v3 with officially maintained go.y...7b755a3release 1.27.1 (#1521)d6b395bUpdate lazy logger not to materialize unless it's being written to (#1519)4b9cea0ci: Test with Go 1.24, Go 1.25 (#1508)7c80d7bFix race condition in WithLazy implementation (#1426) (#1511)07077a6Prevent zap.Object from panicing on nils (#1501)a6afd05Fix lint check name (#1502)Updates
atomicgo.dev/keyboardfrom 0.2.9 to 0.2.10Release notes
Sourced from atomicgo.dev/keyboard's releases.
Commits
fae8463chore: auto name tag on release4b92e07chore: updated template comments6614fe5docs: update readme codeblock styling5178b5cdocs: update readme styling0b77d5cci: use stable go version for doc generation8140523ci: fix windows argument parsing64af941ci: improved workflowsc24137eci: updated workflow dependency versions160b78achore: removed .templates1003925chore: removed Makefile in favour of TaskfileUpdates
github.com/gookit/colorfrom 1.6.0 to 1.6.1Release notes
Sourced from github.com/gookit/color's releases.
Commits
d232e11ci(release): remove Go version matrix and simplify build steps in release action1245572fix(convert): incorrect conversion between integer types2bb27a5fix(detect): should enable VTP on windows CMD,PWSHe58a899fix: re-apply color after nested reset in RenderString (#119)de1e243Add 'stable' to Go version matrix and update actioned1b9ccbuild(deps): bump actions/checkout from 5 to 6 (#115)2e18426build(deps): bump github/codeql-action from 3 to 4 (#113)Updates
github.com/mattn/go-runewidthfrom 0.0.20 to 0.0.23Commits
17a7a03Merge pull request #95 from mattn/optimize-runewidth-performance0a43bb8Optimize RuneWidth and StringWidth performance41dc6c5Merge pull request #92 from mattn/stringwidth-single-rune-fast-path254e529optimize single-rune StringWidthb7b94fbMerge pull request #91 from mattn/add-is-combining-width2c33cbfUpdate CI: bump actions and Go versionsc6c0a14Add IsCombiningWidth function6399b33Merge pull request #90 from bugwhisperer418/76-zero-width-variation-selectionsdadc062fix benchmark test checksums75db52fupdate test checksumsUpdates
github.com/prometheus/commonfrom 0.65.0 to 0.66.1Release notes
Sourced from github.com/prometheus/common's releases.
... (truncated)
Changelog
Sourced from github.com/prometheus/common's changelog.
... (truncated)
Commits
8975ddeRevert "Use go.uber.org/atomic instead of sync/atomic (#825)" (#838)08d7f66Move to supported version of yaml parser (