Summary
The current dependency github.com/go-git/go-billy/v5 is pinned to v5.8.0 in semaphore's go.mod, which is affected by two security vulnerabilities:
Current state
github.com/go-git/go-billy/v5 v5.8.0 // indirect
Expected fix
github.com/go-git/go-billy/v5 v5.9.0 // indirect
go-billy v5.9.0 was released on 2026-05-06: https://github.com/go-git/go-billy/releases/tag/v5.9.0
Steps to fix
go get github.com/go-git/go-billy/v5@v5.9.0
go mod tidy
Context
This was identified via a security scan on a project that uses the semaphore pre-built binary (/usr/local/bin/semaphore). The vulnerability is present in the compiled binary and cannot be patched at the consumer level without rebuilding semaphore from source.
Summary
The current dependency
github.com/go-git/go-billy/v5is pinned tov5.8.0in semaphore'sgo.mod, which is affected by two security vulnerabilities:Current state
Expected fix
go-billy v5.9.0was released on 2026-05-06: https://github.com/go-git/go-billy/releases/tag/v5.9.0Steps to fix
Context
This was identified via a security scan on a project that uses the semaphore pre-built binary (
/usr/local/bin/semaphore). The vulnerability is present in the compiled binary and cannot be patched at the consumer level without rebuilding semaphore from source.