Skip to content

fix: add .snyk safety net ignore for goldmark XSS#97

Merged
josue merged 1 commit intomainfrom
upgrade_ghost_transitive_deps
Apr 15, 2026
Merged

fix: add .snyk safety net ignore for goldmark XSS#97
josue merged 1 commit intomainfrom
upgrade_ghost_transitive_deps

Conversation

@josue
Copy link
Copy Markdown
Collaborator

@josue josue commented Apr 15, 2026

Summary

  • Adds .snyk safety-net ignore for goldmark XSS vulnerability (CVE-2026-5160, SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERHTML-15838406)
  • github.com/yuin/goldmark@v1.4.13 is a ghost transitive dependency via golang.org/x/tools@v0.44.0 — not listed in go.mod and never compiled into any binary
  • go mod why confirms: "main module does not need package github.com/yuin/goldmark"
  • Consistent with existing safety-net ignores for go-jose and x/crypto

Context

JIRA FL-29335 (goldmark XSS in _examples/go.mod) is still open, while the identical FL-29336 (go.mod) is already DONE. Both are ghost deps with no vulnerable code paths. golang.org/x/tools@v0.44.0 (latest) still requires goldmark v1.4.13 — no upstream fix available yet.

Verification

  • snyk test --org=flume passes with 0 vulnerabilities (both go.mod and _examples/go.mod)
  • go test ./ passes
  • cd _examples && go test ./. passes

Test plan

  • Snyk scan clean on both modules
  • Unit tests pass
  • Integration tests pass
  • Close FL-29335 in JIRA after merge

🤖 Generated with Claude Code

@josue @claude
fix: add .snyk safety net ignore for goldmark XSS (CVE-2026-5160)
692f8e1 
goldmark v1.4.13 is a ghost transitive dep via golang.org/x/tools —
not listed in go.mod and never compiled into any binary.
Adding ignore for consistency with existing go-jose and x/crypto ignores.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 15, 2026 20:30
@josue josue requested a review from caseyh as a code owner April 15, 2026 20:30
@flume-bot
Copy link
Copy Markdown

flume-bot commented Apr 15, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Snyk “safety-net” ignore entry for a reported goldmark XSS vulnerability that is present only as an unused transitive (non-compiled) dependency in the root module, aligning root policy with the existing pattern used for other ghost dependencies.

Changes:

  • Add .snyk ignore for SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERHTML-15838406 (CVE-2026-5160) with rationale and time-bounded expiration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@josue josue merged commit ac9ea58 into main Apr 15, 2026
12 checks passed
@josue josue deleted the upgrade_ghost_transitive_deps branch April 15, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andrecastillo andrecastillo andrecastillo approved these changes

@caseyh caseyh Awaiting requested review from caseyh caseyh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@josue @flume-bot @andrecastillo