From 10294d6f4d37bdd703845206d98a351f4d58d0cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Mar 2026 14:03:39 +0000 Subject: [PATCH 1/4] chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 Bumps [github.com/yuin/goldmark](https://github.com/yuin/goldmark) from 1.7.16 to 1.8.2. - [Release notes](https://github.com/yuin/goldmark/releases) - [Commits](https://github.com/yuin/goldmark/compare/v1.7.16...v1.8.2) --- updated-dependencies: - dependency-name: github.com/yuin/goldmark dependency-version: 1.8.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 99413bdefa1..085bfec8bf6 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/stretchr/testify v1.11.1 github.com/theupdateframework/go-tuf/v2 v2.4.1 github.com/vmihailenco/msgpack/v5 v5.4.1 - github.com/yuin/goldmark v1.7.16 + github.com/yuin/goldmark v1.8.2 github.com/zalando/go-keyring v0.2.8 golang.org/x/crypto v0.49.0 golang.org/x/sync v0.20.0 diff --git a/go.sum b/go.sum index c9cfb3dfc02..c62941f5c47 100644 --- a/go.sum +++ b/go.sum @@ -539,8 +539,8 @@ github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE= -github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg= +github.com/yuin/goldmark v1.8.2 h1:kEGpgqJXdgbkhcOgBxkC0X0PmoPG1ZyoZ117rDVp4zE= +github.com/yuin/goldmark v1.8.2/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg= github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs= github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA= github.com/zalando/go-keyring v0.2.8 h1:6sD/Ucpl7jNq10rM2pgqTs0sZ9V3qMrqfIIy5YPccHs= From e5927332c69fee034b244ab87fb24f1028f2f7ca Mon Sep 17 00:00:00 2001 From: "Babak K. Shandiz" Date: Wed, 8 Apr 2026 12:58:07 +0100 Subject: [PATCH 2/4] chore: re-add toolchain to go1.26.2 Signed-off-by: Babak K. Shandiz --- go.mod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.mod b/go.mod index 04f98e69e10..91e191d94ca 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/cli/cli/v2 go 1.26.1 +toolchain go1.26.2 + require ( charm.land/bubbles/v2 v2.0.0 charm.land/bubbletea/v2 v2.0.2 From 73d65ed7012fdd3d3dea021ec5a117fdb64efd29 Mon Sep 17 00:00:00 2001 From: Kynan Ware <47394200+BagToad@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:28:30 -0600 Subject: [PATCH 3/4] Document dependency CVE policy in SECURITY.md Clarify that a dependency having a CVE does not mean gh has a vulnerability. We use govulncheck for reachability analysis and ask reporters to demonstrate impact before we act on dependency CVE reports. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/SECURITY.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 50e489c545a..76bb91fc79e 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** +A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed. + Thanks for helping make GitHub safe for everyone. [private vulnerability reporting]: https://github.com/cli/cli/security/advisories From 832e3e7fa0a2f5e957266cc2d46c5b3db51e451a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Apr 2026 17:34:24 +0000 Subject: [PATCH 4/4] chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 Bumps [charm.land/bubbles/v2](https://github.com/charmbracelet/bubbles) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/charmbracelet/bubbles/releases) - [Commits](https://github.com/charmbracelet/bubbles/compare/v2.0.0...v2.1.0) --- updated-dependencies: - dependency-name: charm.land/bubbles/v2 dependency-version: 2.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 91e191d94ca..27b81f82428 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.26.1 toolchain go1.26.2 require ( - charm.land/bubbles/v2 v2.0.0 + charm.land/bubbles/v2 v2.1.0 charm.land/bubbletea/v2 v2.0.2 charm.land/huh/v2 v2.0.3 charm.land/lipgloss/v2 v2.0.2 @@ -141,7 +141,7 @@ require ( github.com/itchyny/timefmt-go v0.1.6 // indirect github.com/jedisct1/go-minisign v0.0.0-20241212093149-d2f9f49435c7 // indirect github.com/lucasb-eyer/go-colorful v1.3.0 // indirect - github.com/mattn/go-runewidth v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.21 // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect diff --git a/go.sum b/go.sum index 4c8d4063ee3..75655121f8c 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -charm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s= -charm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI= +charm.land/bubbles/v2 v2.1.0 h1:YSnNh5cPYlYjPxRrzs5VEn3vwhtEn3jVGRBT3M7/I0g= +charm.land/bubbles/v2 v2.1.0/go.mod h1:l97h4hym2hvWBVfmJDtrEHHCtkIKeTEb3TTJ4ZOB3wY= charm.land/bubbletea/v2 v2.0.2 h1:4CRtRnuZOdFDTWSff9r8QFt/9+z6Emubz3aDMnf/dx0= charm.land/bubbletea/v2 v2.0.2/go.mod h1:3LRff2U4WIYXy7MTxfbAQ+AdfM3D8Xuvz2wbsOD9OHQ= charm.land/huh/v2 v2.0.3 h1:2cJsMqEPwSywGHvdlKsJyQKPtSJLVnFKyFbsYZTlLkU= @@ -390,8 +390,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ= -github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= +github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w= +github.com/mattn/go-runewidth v0.0.21/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=