Skip to content
This repository has been archived by the owner on Nov 30, 2024. It is now read-only.

chore(deps): update module github.com/hashicorp/go-getter to v1.7.5 [security] #40

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 27, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/hashicorp/go-getter v1.7.4 -> v1.7.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-6257

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.


Release Notes

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.7.5

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.7.4...v1.7.5


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner June 27, 2024 06:54
@renovate renovate bot added the area/dependency Issues or PRs related to dependency changes. label Jun 27, 2024
@renovate renovate bot requested review from shanduur and removed request for a team June 27, 2024 06:54
@renovate renovate bot enabled auto-merge (squash) June 27, 2024 06:54
@shanduur shanduur closed this Nov 30, 2024
auto-merge was automatically disabled November 30, 2024 05:59

Pull request was closed

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/dependency Issues or PRs related to dependency changes.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant