Skip to content

Commit bda0fa4

Browse files
theakshaypanttheakshaypant
committed
chore(deps): bump tektoncd/pipeline to v1.9.3
Addresses CVE-2026-40161 (GHSA-wjxp-xrpv-xpff), a high-severity vulnerability where the git resolver API mode leaks system-configured API tokens to user-controlled serverURL endpoints. Also includes path traversal hardening for volume mount validation using filepath.Clean. Signed-off-by: Akshay Pant <akpant@redhat.com>
1 parent adb71b4 commit bda0fa4

5 files changed

Lines changed: 12 additions & 9 deletions

File tree

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ require (
2727
github.com/pkg/errors v0.9.1
2828
github.com/spf13/cobra v1.10.2
2929
github.com/stretchr/testify v1.11.1
30-
github.com/tektoncd/pipeline v1.9.2
30+
github.com/tektoncd/pipeline v1.9.3
3131
gitlab.com/gitlab-org/api/client-go v1.14.0
3232
go.opencensus.io v0.24.0
3333
go.uber.org/zap v1.27.1

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -482,8 +482,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
482482
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
483483
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
484484
github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
485-
github.com/tektoncd/pipeline v1.9.2 h1:uKEt6CGLmkeKLdKIZnel0gn8lfQ1P7+398yystdBuHU=
486-
github.com/tektoncd/pipeline v1.9.2/go.mod h1:PTlIZ4Mhr8HZDx404O7spJtafiynetTMedCsXStjtHk=
485+
github.com/tektoncd/pipeline v1.9.3 h1:7Z+V2VX5wjz9LoNa16E1RbgH9mpYy5B1KnAMm3H0czc=
486+
github.com/tektoncd/pipeline v1.9.3/go.mod h1:pEruzPp4JM8JK8Nnnih46IPgdtxRPot/i9pUZo8lA9I=
487487
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
488488
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
489489
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go

Lines changed: 4 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go

Lines changed: 3 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/modules.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -399,8 +399,8 @@ github.com/spf13/pflag
399399
## explicit; go 1.17
400400
github.com/stretchr/testify/assert
401401
github.com/stretchr/testify/assert/yaml
402-
# github.com/tektoncd/pipeline v1.9.2
403-
## explicit; go 1.24.0
402+
# github.com/tektoncd/pipeline v1.9.3
403+
## explicit; go 1.24.13
404404
github.com/tektoncd/pipeline/internal/artifactref
405405
github.com/tektoncd/pipeline/pkg/apis/config
406406
github.com/tektoncd/pipeline/pkg/apis/pipeline

0 commit comments

Comments
 (0)