Skip to content

Commit 37db085

Browse files
divyansh42claude
divyansh42
and
claude
committed
fix(cve): CVE-2026-40938, CVE-2026-40161 - github.com/tektoncd/pipeline
- Update github.com/tektoncd/pipeline from v1.3.1 to v1.11.1 - CVE-2026-40938: Arbitrary code execution via malicious git commands (Critical) - CVE-2026-40161: Git API token disclosure via user-controlled serverURL (High) Resolves: SRVKP-11720, SRVKP-11650 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 1e1782f commit 37db085

2 files changed

Lines changed: 201 additions & 224 deletions

File tree

go.mod

Lines changed: 60 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@ require (
88
github.com/blang/semver v3.5.1+incompatible
99
github.com/cpuguy83/go-md2man v1.0.10
1010
github.com/creack/pty v1.1.24
11-
github.com/docker/cli v29.0.3+incompatible
11+
github.com/docker/cli v29.3.0+incompatible
1212
github.com/docker/docker v28.5.2+incompatible
1313
github.com/fatih/color v1.18.0
1414
github.com/google/go-cmp v0.7.0
15-
github.com/google/go-containerregistry v0.20.7
15+
github.com/google/go-containerregistry v0.21.3
1616
github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
1717
github.com/hinshun/vt10x v0.0.0-20220228203356-1ab2cad5fd82
1818
github.com/jonboulle/clockwork v0.5.0
@@ -25,21 +25,21 @@ require (
2525
github.com/spf13/pflag v1.0.10
2626
github.com/tektoncd/chains v0.26.0
2727
github.com/tektoncd/hub v1.22.2
28-
github.com/tektoncd/pipeline v1.3.1
28+
github.com/tektoncd/pipeline v1.11.1
2929
github.com/tektoncd/plumbing v0.0.0-20250430145243-3b7cd59879c1
3030
github.com/tektoncd/triggers v0.33.0
3131
github.com/theupdateframework/go-tuf v0.7.0
3232
go.opencensus.io v0.24.0
3333
go.uber.org/multierr v1.11.0
3434
go.uber.org/zap v1.27.1
35-
golang.org/x/term v0.39.0
35+
golang.org/x/term v0.41.0
3636
gotest.tools v2.2.0+incompatible
3737
gotest.tools/v3 v3.5.2
38-
k8s.io/api v0.34.1
39-
k8s.io/apimachinery v0.34.1
38+
k8s.io/api v0.35.3
39+
k8s.io/apimachinery v0.35.3
4040
k8s.io/cli-runtime v0.29.15
41-
k8s.io/client-go v0.34.1
42-
knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883
41+
k8s.io/client-go v0.35.3
42+
knative.dev/pkg v0.0.0-20260318013857-98d5a706d4fd
4343
sigs.k8s.io/yaml v1.6.0
4444
)
4545

@@ -57,8 +57,6 @@ require (
5757
cloud.google.com/go/longrunning v0.6.7 // indirect
5858
cloud.google.com/go/monitoring v1.24.2 // indirect
5959
cloud.google.com/go/storage v1.57.1 // indirect
60-
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
61-
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
6260
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
6361
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
6462
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
@@ -96,36 +94,35 @@ require (
9694
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
9795
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
9896
github.com/aws/aws-sdk-go v1.55.8 // indirect
99-
github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
100-
github.com/aws/aws-sdk-go-v2/config v1.32.5 // indirect
101-
github.com/aws/aws-sdk-go-v2/credentials v1.19.5 // indirect
102-
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 // indirect
103-
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
104-
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
97+
github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
98+
github.com/aws/aws-sdk-go-v2/config v1.32.7 // indirect
99+
github.com/aws/aws-sdk-go-v2/credentials v1.19.7 // indirect
100+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
101+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
102+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
105103
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
106104
github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
107105
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
108106
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
109-
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
110-
github.com/aws/aws-sdk-go-v2/service/kms v1.49.1 // indirect
111-
github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect
112-
github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 // indirect
113-
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
114-
github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
107+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
108+
github.com/aws/aws-sdk-go-v2/service/kms v1.49.5 // indirect
109+
github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
110+
github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
111+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
112+
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
115113
github.com/aws/smithy-go v1.24.0 // indirect
116114
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 // indirect
117115
github.com/beorn7/perks v1.0.1 // indirect
118116
github.com/blendle/zapdriver v1.3.1 // indirect
119117
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
120118
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
121-
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
122119
github.com/cespare/xxhash/v2 v2.3.0 // indirect
123120
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
124121
github.com/clbanning/mxj/v2 v2.7.0 // indirect
125122
github.com/cloudevents/sdk-go/v2 v2.16.2 // indirect
126123
github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
127124
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
128-
github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
125+
github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
129126
github.com/coreos/go-oidc/v3 v3.17.0 // indirect
130127
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
131128
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -152,8 +149,6 @@ require (
152149
github.com/go-chi/chi/v5 v5.2.3 // indirect
153150
github.com/go-errors/errors v1.4.2 // indirect
154151
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
155-
github.com/go-kit/log v0.2.1 // indirect
156-
github.com/go-logfmt/logfmt v0.6.0 // indirect
157152
github.com/go-logr/logr v1.4.3 // indirect
158153
github.com/go-logr/stdr v1.2.2 // indirect
159154
github.com/go-openapi/analysis v0.24.1 // indirect
@@ -178,14 +173,13 @@ require (
178173
github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
179174
github.com/go-openapi/validate v0.25.1 // indirect
180175
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
181-
github.com/gogo/protobuf v1.3.2 // indirect
182176
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
183177
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
184178
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
185179
github.com/golang/protobuf v1.5.4 // indirect
186180
github.com/golang/snappy v1.0.0 // indirect
187181
github.com/google/btree v1.1.3 // indirect
188-
github.com/google/cel-go v0.26.1 // indirect
182+
github.com/google/cel-go v0.27.0 // indirect
189183
github.com/google/certificate-transparency-go v1.3.2 // indirect
190184
github.com/google/gnostic-models v0.7.0 // indirect
191185
github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc // indirect
@@ -201,7 +195,7 @@ require (
201195
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
202196
github.com/grafeas/grafeas v0.2.3 // indirect
203197
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
204-
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
198+
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
205199
github.com/hashicorp/errwrap v1.1.0 // indirect
206200
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
207201
github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -232,7 +226,7 @@ require (
232226
github.com/json-iterator/go v1.1.12 // indirect
233227
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
234228
github.com/kelseyhightower/envconfig v1.4.0 // indirect
235-
github.com/klauspost/compress v1.18.1 // indirect
229+
github.com/klauspost/compress v1.18.4 // indirect
236230
github.com/ktr0731/go-ansisgr v0.1.0 // indirect
237231
github.com/kylelemons/godebug v1.1.0 // indirect
238232
github.com/letsencrypt/boulder v0.20251110.0 // indirect
@@ -257,7 +251,6 @@ require (
257251
github.com/oklog/ulid v1.3.1 // indirect
258252
github.com/opencontainers/go-digest v1.0.0 // indirect
259253
github.com/opencontainers/image-spec v1.1.1 // indirect
260-
github.com/openzipkin/zipkin-go v0.4.3 // indirect
261254
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
262255
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
263256
github.com/pierrec/lz4/v4 v4.1.22 // indirect
@@ -266,9 +259,9 @@ require (
266259
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
267260
github.com/prometheus/client_golang v1.23.2 // indirect
268261
github.com/prometheus/client_model v0.6.2 // indirect
269-
github.com/prometheus/common v0.67.4 // indirect
270-
github.com/prometheus/procfs v0.17.0 // indirect
271-
github.com/prometheus/statsd_exporter v0.22.7 // indirect
262+
github.com/prometheus/common v0.67.5 // indirect
263+
github.com/prometheus/otlptranslator v1.0.0 // indirect
264+
github.com/prometheus/procfs v0.19.2 // indirect
272265
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
273266
github.com/rivo/uniseg v0.4.7 // indirect
274267
github.com/russross/blackfriday v1.6.0 // indirect
@@ -282,18 +275,17 @@ require (
282275
github.com/sigstore/rekor v1.4.3 // indirect
283276
github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
284277
github.com/sigstore/sigstore-go v1.1.4 // indirect
285-
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 // indirect
286-
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 // indirect
287-
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 // indirect
288-
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.3 // indirect
278+
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4 // indirect
279+
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4 // indirect
280+
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4 // indirect
281+
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4 // indirect
289282
github.com/sigstore/timestamp-authority/v2 v2.0.3 // indirect
290-
github.com/sirupsen/logrus v1.9.3 // indirect
283+
github.com/sirupsen/logrus v1.9.4 // indirect
291284
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
292285
github.com/spf13/afero v1.15.0 // indirect
293286
github.com/spf13/cast v1.10.0 // indirect
294287
github.com/spf13/viper v1.21.0 // indirect
295288
github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
296-
github.com/stoewer/go-strcase v1.3.1 // indirect
297289
github.com/subosito/gotenv v1.6.0 // indirect
298290
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
299291
github.com/thales-e-security/pool v0.0.2 // indirect
@@ -318,48 +310,56 @@ require (
318310
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
319311
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
320312
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
321-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
322-
go.opentelemetry.io/otel v1.39.0 // indirect
323-
go.opentelemetry.io/otel/metric v1.39.0 // indirect
324-
go.opentelemetry.io/otel/sdk v1.39.0 // indirect
325-
go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect
326-
go.opentelemetry.io/otel/trace v1.39.0 // indirect
313+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
314+
go.opentelemetry.io/otel v1.42.0 // indirect
315+
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
316+
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
317+
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
318+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
319+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
320+
go.opentelemetry.io/otel/exporters/prometheus v0.64.0 // indirect
321+
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 // indirect
322+
go.opentelemetry.io/otel/metric v1.42.0 // indirect
323+
go.opentelemetry.io/otel/sdk v1.42.0 // indirect
324+
go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
325+
go.opentelemetry.io/otel/trace v1.42.0 // indirect
326+
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
327327
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
328328
go.yaml.in/yaml/v2 v2.4.3 // indirect
329329
go.yaml.in/yaml/v3 v3.0.4 // indirect
330330
goa.design/goa/v3 v3.23.4 // indirect
331331
gocloud.dev v0.43.0 // indirect
332332
gocloud.dev/docstore/mongodocstore v0.43.0 // indirect
333333
gocloud.dev/pubsub/kafkapubsub v0.43.0 // indirect
334-
golang.org/x/crypto v0.47.0 // indirect
334+
golang.org/x/crypto v0.49.0 // indirect
335335
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
336-
golang.org/x/mod v0.31.0 // indirect
337-
golang.org/x/net v0.49.0 // indirect
338-
golang.org/x/oauth2 v0.34.0 // indirect
339-
golang.org/x/sync v0.19.0 // indirect
340-
golang.org/x/sys v0.40.0 // indirect
341-
golang.org/x/text v0.33.0 // indirect
336+
golang.org/x/mod v0.34.0 // indirect
337+
golang.org/x/net v0.52.0 // indirect
338+
golang.org/x/oauth2 v0.36.0 // indirect
339+
golang.org/x/sync v0.20.0 // indirect
340+
golang.org/x/sys v0.42.0 // indirect
341+
golang.org/x/text v0.35.0 // indirect
342342
golang.org/x/time v0.14.0 // indirect
343343
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
344344
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
345345
google.golang.org/api v0.257.0 // indirect
346346
google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect
347-
google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516 // indirect
348-
google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
347+
google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
348+
google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
349349
google.golang.org/grpc v1.80.0 // indirect
350350
google.golang.org/protobuf v1.36.11 // indirect
351-
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
351+
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
352352
gopkg.in/inf.v0 v0.9.1 // indirect
353353
gopkg.in/ini.v1 v1.67.0 // indirect
354354
gopkg.in/yaml.v2 v2.4.0 // indirect
355-
k8s.io/apiextensions-apiserver v0.32.9 // indirect
355+
k8s.io/apiextensions-apiserver v0.35.2 // indirect
356356
k8s.io/klog/v2 v2.130.1 // indirect
357-
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
358-
k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
357+
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
358+
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
359359
knative.dev/eventing v0.30.3 // indirect
360360
knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 // indirect
361361
knative.dev/serving v0.39.4 // indirect
362-
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
362+
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
363363
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
364364
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
365365
sigs.k8s.io/randfill v1.0.0 // indirect

0 commit comments

Comments
 (0)