Skip to content

sec(deps): update go-chi/chi to v5 #2563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 6, 2025
Merged

sec(deps): update go-chi/chi to v5 #2563

merged 1 commit into from
Aug 6, 2025

Conversation

caarlos0
Copy link
Contributor

@caarlos0 caarlos0 commented Aug 5, 2025
edited
Loading

Summary

There's a vulnerability in go-chi v4, and the only fix is to update to v5.
Seemed like a low lift, so I did it.

see https://pkg.go.dev/vuln/GO-2025-3770
see GHSA-vrw8-fxc6-2r93

Release Note

NONE

Documentation

@caarlos0 caarlos0 requested review from a team as code owners August 5, 2025 14:27
@cpanato
Copy link
Member

cpanato commented Aug 5, 2025

Please sign the dco

@codecov Codecov
Copy link

codecov bot commented Aug 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.04%. Comparing base (488eb97) to head (12222a4).
⚠️ Report is 471 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2563       +/-   ##
===========================================
- Coverage   66.46%   25.04%   -41.42%     
===========================================
  Files          92      189       +97     
  Lines        9258    24424    +15166     
===========================================
- Hits         6153     6117       -36     
- Misses       2359    17544    +15185     
- Partials      746      763       +17
Flag Coverage Δ
e2etests 46.88% <ø> (-0.68%) ⬇️
unittests 16.23% <ø> (-31.46%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@caarlos0
sec(deps): update go-chi/chi to v5
12222a4 
see GO-2025-3770
see GHSA-vrw8-fxc6-2r93

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
@caarlos0
Copy link
Contributor Author

caarlos0 commented Aug 5, 2025

@cpanato done!

@cpanato cpanato merged commit 0b80f3f into sigstore:main Aug 6, 2025
16 checks passed
@caarlos0
Copy link
Contributor Author

caarlos0 commented Aug 6, 2025

thanks @cpanato!

is there a timeline on the next release?

@caarlos0 caarlos0 deleted the chiv5 branch August 6, 2025 12:23
@bobcallaway
Copy link
Member

thanks @cpanato!

is there a timeline on the next release?

I looked at the CVE and while yes, we imported the package referenced, we do not use the code path that contains the vulnerability. I'm not sure there is a huge rush to push out a new release here, unless I'm missing something?

@cpanato
Copy link
Member

cpanato commented Aug 6, 2025

cc @haydentherapper

@caarlos0
Copy link
Contributor Author

caarlos0 commented Aug 6, 2025

@bobcallaway my understanding it's that not a rush either. Only downside is scanners marking it as possibly vulnerable (e.g. rekor is imported by cosign, which is imported by goreleaser, which is how I got here 😂)

@bobcallaway
Copy link
Member

@caarlos0 that makes sense (and thanks for goreleaser - we love it!) we have a couple other changes we'd like to get in soon and should cut another release in the next couple weeks.

@caarlos0
Copy link
Contributor Author

caarlos0 commented Aug 7, 2025

cool, I'll keep an eye out for it.

thanks for cosign & co, I love it :)

caarlos0 added a commit to goreleaser/goreleaser that referenced this pull request Aug 15, 2025
@caarlos0
sec: update rekor to main for GHSA-vrw8-fxc6-2r93
3758f8b 
GoReleaser itself is not affected by this, but govulncheck keeps
complaining.

I upgrade go-chi in rekor in sigstore/rekor#2563,
but they haven't released it yet.

This updates to rekor@main.

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
@caarlos0 caarlos0 mentioned this pull request Aug 15, 2025
Merged
caarlos0 added a commit to goreleaser/goreleaser that referenced this pull request Aug 15, 2025
@caarlos0
sec: update rekor to main for GHSA-vrw8-fxc6-2r93 (#5990)
0f78ad8 
GoReleaser itself is not affected by this, but govulncheck keeps
complaining.

I upgrade go-chi in rekor in
sigstore/rekor#2563, but they haven't released
it yet.

This updates to rekor@main.

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request Aug 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@caarlos0 @cpanato @bobcallaway