Skip to content

fix(deps): update module github.com/hashicorp/go-getter to v1.8.6 [security] (alauda-v1.28.0)#34

Merged
l-qing merged 2 commits into
alauda-v1.28.0from
renovate/alauda-v1.28.0-go-github.com-hashicorp-go-getter-vulnerability
May 9, 2026
Merged

fix(deps): update module github.com/hashicorp/go-getter to v1.8.6 [security] (alauda-v1.28.0)#34
l-qing merged 2 commits into
alauda-v1.28.0from
renovate/alauda-v1.28.0-go-github.com-hashicorp-go-getter-vulnerability

Conversation

@alaudaa-renovate
Copy link
Copy Markdown

@alaudaa-renovate alaudaa-renovate Bot commented May 1, 2026

This PR contains the following updates:

Package Change Age Confidence
github.com/hashicorp/go-getter v1.7.9 -> v1.8.6 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

HashiCorp's go-getter library may allow arbitrary file reads

CVE-2026-4660 / GHSA-92mm-2pjq-r785

More information

Details

HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.8.6

Compare Source

v1.8.5

Compare Source

What's Changed

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

v1.8.4

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.3...v1.8.4

v1.8.3

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.1...v1.8.2

v1.8.1

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.0...v1.8.1

v1.8.0

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.7.9...v1.8.0

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate
Copy link
Copy Markdown
Author

alaudaa-renovate Bot commented May 1, 2026

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 29 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.30.0 -> v0.33.0
golang.org/x/net v0.48.0 -> v0.52.0
cloud.google.com/go v0.116.0 -> v0.123.0
cloud.google.com/go/auth v0.9.9 -> v0.18.2
cloud.google.com/go/auth/oauth2adapt v0.2.4 -> v0.2.8
cloud.google.com/go/iam v1.2.2 -> v1.5.3
cloud.google.com/go/storage v1.43.0 -> v1.61.3
github.com/google/s2a-go v0.1.8 -> v0.1.9
github.com/googleapis/enterprise-certificate-proxy v0.3.4 -> v0.3.14
github.com/googleapis/gax-go/v2 v2.13.0 -> v2.17.0
github.com/hashicorp/go-version v1.6.0 -> v1.8.0
github.com/klauspost/compress v1.18.0 -> v1.18.5
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 -> v0.63.0
go.opentelemetry.io/otel v1.39.0 -> v1.42.0
go.opentelemetry.io/otel/metric v1.39.0 -> v1.42.0
go.opentelemetry.io/otel/trace v1.39.0 -> v1.42.0
golang.org/x/crypto v0.46.0 -> v0.49.0
golang.org/x/oauth2 v0.34.0 -> v0.36.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/sys v0.39.0 -> v0.42.0
golang.org/x/term v0.38.0 -> v0.41.0
golang.org/x/text v0.32.0 -> v0.35.0
golang.org/x/time v0.12.0 -> v0.15.0
golang.org/x/tools v0.39.0 -> v0.42.0
google.golang.org/api v0.203.0 -> v0.271.0
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/protobuf v1.36.10 -> v1.36.11

@l-qing @claude
chore(ci): bump golangci-lint to v2.12.2 for Go 1.26 compatibility
54355e6 
The repo's go.mod was bumped to Go 1.26.1 (commit 4d9ab79), but the
pinned golangci-lint v2.4.0 binary was built with Go 1.25 and refuses
to run with: "the Go language version (go1.25) used to build
golangci-lint is lower than the targeted Go version (1.26.1)". Its
internal go/types also panics when loading Go 1.26 packages, so the
binary must be rebuilt with Go 1.26+; v2.12.2 is built with go1.26.2.

The newer linter binary surfaces additional findings from analyzers
that didn't exist in v2.4.0. Suppress the new sub-checks to preserve
prior coverage instead of churning unrelated code:

- govet: disable inline (stylistic constant-inlining suggestion)
- gocritic: disable deprecatedComment (formatting nitpick)
- staticcheck: disable QF1012 (Quick-Fix style suggestion)
- gosec: exclude G703 (path-traversal taint on example/CLI programs)
- drop goconst from enabled linters (now flags string literals inside
  slice/map composite literals across many lookup tables; v2.4.0 did
  not flag these)

One real bug the new govet caught is fixed in this commit:
search_result.go was using %q for int64 fields where %d is correct.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@l-qing l-qing merged commit 868a62a into alauda-v1.28.0 May 9, 2026
10 checks passed
@l-qing l-qing deleted the renovate/alauda-v1.28.0-go-github.com-hashicorp-go-getter-vulnerability branch May 9, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@l-qing l-qing l-qing approved these changes

Assignees

@yuzichen12123 yuzichen12123

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@l-qing @yuzichen12123