Skip to content

chore: mitigate vulnerable Go dependencies#84

Merged
ElvenSpellmaker merged 1 commit intomainfrom
fix/security-dependency-updates-2026-03-19
Mar 19, 2026
Merged

chore: mitigate vulnerable Go dependencies#84
ElvenSpellmaker merged 1 commit intomainfrom
fix/security-dependency-updates-2026-03-19

Conversation

@RichardSlater
Copy link
Contributor

@RichardSlater RichardSlater commented Mar 19, 2026

Summary

  • upgrade github.com/docker/cli from v29.2.1 to v29.3.0 to move past the patched version for GHSA-p436-gjf2-799p
  • upgrade github.com/buger/jsonparser from v1.1.1 to v1.1.2-0.20220418200129-61b32cfdfa0f to move off the vulnerable tag to a later upstream commit because GHSA-6g7g-w4f8-9c9x has no tagged patched release
  • refresh go.sum after dependency resolution

Validation

  • go test ./...

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@RichardSlater RichardSlater self-assigned this Mar 19, 2026
@RichardSlater RichardSlater added the dependencies Pull requests that update a dependency file label Mar 19, 2026
@RichardSlater RichardSlater requested review from balpurewal, Copilot and dnitsch and removed request for balpurewal and dnitsch March 19, 2026 11:39
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Go module dependencies to remediate reported vulnerabilities in transitive and direct dependencies used by eirctl’s container/registry support.

Changes:

  • Bump github.com/docker/cli from v29.2.1 to v29.3.0 (patched for GHSA-p436-gjf2-799p).
  • Pin github.com/buger/jsonparser to a pseudo-version past v1.1.1 due to lack of a tagged patched release (GHSA-6g7g-w4f8-9c9x).
  • Refresh go.sum accordingly.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates required module versions for docker/cli and jsonparser to mitigate advisories.
go.sum Updates module checksums after dependency resolution.

You can also share your feedback on Copilot code review. Take the survey.

@ElvenSpellmaker ElvenSpellmaker enabled auto-merge (squash) March 19, 2026 13:53
ElvenSpellmaker
ElvenSpellmaker approved these changes Mar 19, 2026
View reviewed changes
Copy link
Contributor

@ElvenSpellmaker ElvenSpellmaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Windows:
Image
WSL:
Image

Test pass on Windows and in WSL for me, LGTM thanks.

@ElvenSpellmaker ElvenSpellmaker merged commit 7615164 into main Mar 19, 2026
13 checks passed
@ElvenSpellmaker ElvenSpellmaker deleted the fix/security-dependency-updates-2026-03-19 branch March 19, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ElvenSpellmaker ElvenSpellmaker ElvenSpellmaker approved these changes

@dnitsch dnitsch Awaiting requested review from dnitsch

Assignees

@RichardSlater RichardSlater

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RichardSlater @ElvenSpellmaker