fix: patch Snyk ghost dependency vulnerabilities#98
Merged
Conversation
Patch-level upgrade of indirect dependency github.com/zclconf/go-cty. Does not resolve Snyk ghost dependency alerts (go-jose, x/crypto, goldmark); those remain covered by .snyk safety-net ignores. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The two msgpack vulnerability ignores (SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACKV5-15702238 and SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACK-15702236) were set to expire 2026-07-03. No upstream fix is available (v5.4.1 is latest). Extended to 2027-01-03 and added last-verified date. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add go.mod replace directives to pin patched versions of three ghost transitive dependencies flagged by Snyk: - github.com/go-jose/go-jose/v4: v4.1.3 → v4.1.4 (CVSS 8.7, CWE-248) - golang.org/x/crypto: v0.38.0 → v0.50.0 (CVSS 6.9, CWE-770/CWE-125) - github.com/yuin/goldmark: v1.4.13 → v1.8.2 (CVSS 5.1, CWE-79) These modules appear in the module graph via parent deps (grpc, hcl, tools) but are never imported or compiled. The parent packages are at their latest stable versions and have not yet bumped their minimum requirements. Replace directives survive go mod tidy and cause Snyk to report the patched versions. Note: as a library module, these replace directives only apply to this repo's own CI/tests — consumers' builds are unaffected (Go ignores replace directives from dependencies). Remove once parent packages release versions that require the patched transitive deps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull request overview
This PR addresses Snyk-reported “ghost” Go module vulnerabilities by pinning patched transitive dependency versions via replace directives, and updates Snyk ignore metadata for msgpack where no upstream fix is available.
Changes:
- Add
replacedirectives to force patched versions ofgo-jose/v4,golang.org/x/crypto, andgoldmarkin both the root module and_examples. - Bump indirect dependency
github.com/zclconf/go-ctyfromv1.18.0tov1.18.1(and updatego.sumfiles accordingly). - Extend
.snykmsgpack ignore expiry and record a “Last verified” date.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Bumps go-cty indirect version and adds replace pins for patched transitive deps. |
| go.sum | Updates checksums for go-cty v1.18.1. |
| _examples/go.mod | Mirrors root module dependency bump and adds the same replace pins. |
| _examples/go.sum | Updates checksums for go-cty v1.18.1 in examples module. |
| .snyk | Extends msgpack ignore expirations and adds “Last verified” notes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
caseyh
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github.com/go-jose/go-jose/v4: v4.1.3 → v4.1.4 (CVSS 8.7, Uncaught Exception)golang.org/x/crypto: v0.38.0 → v0.50.0 (CVSS 6.9, Resource Allocation + OOB Read)github.com/yuin/goldmark: v1.4.13 → v1.8.2 (CVSS 5.1, XSS).snykmsgpack ignores from 2026-07-03 to 2027-01-03 (no upstream fix available)go-ctyv1.18.0 → v1.18.1 (patch-level indirect dep bump)Context
Snyk reports 6 open vulnerability alerts against
go.mod. All three high-priority CVEs are ghost transitive dependencies — they appear in the Go module graph via parent packages (grpc,hcl/v2,x/tools) but are never imported or compiled into any binary (go mod whyconfirms). The parent packages are all at their latest stable versions, so the transitive deps cannot be upgraded via normalgo get.replacedirectives solve this by declaring the patched versions ingo.mod. As a library module, these directives only apply to this repo's own CI/tests — consumers' builds are unaffected (Go ignores replace directives from dependencies). They should be removed once parent packages release versions that require the patched transitive deps.Test plan
go test ./— unit tests passcd _examples && go test ./.— integration tests passmake lint— no regressions (pre-existing SA1029 only)snyk test— 0 open vulnerabilities locallygo mod tidy— replace directives survivego list -m— confirms patched versions resolve correctly🤖 Generated with Claude Code