From d52fa397105d3d47d6fcc0c9494977c840859ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Wed, 22 Apr 2026 06:40:35 -0400 Subject: [PATCH 1/3] build: upgrade go-cty v1.18.0 to v1.18.1 Patch-level upgrade of indirect dependency github.com/zclconf/go-cty. Does not resolve Snyk ghost dependency alerts (go-jose, x/crypto, goldmark); those remain covered by .snyk safety-net ignores. Co-Authored-By: Claude Opus 4.6 --- _examples/go.mod | 2 +- _examples/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/_examples/go.mod b/_examples/go.mod index 9219972..981e5c3 100644 --- a/_examples/go.mod +++ b/_examples/go.mod @@ -35,7 +35,7 @@ require ( github.com/sosodev/duration v1.4.0 // indirect github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect - github.com/zclconf/go-cty v1.18.0 // indirect + github.com/zclconf/go-cty v1.18.1 // indirect github.com/zclconf/go-cty-yaml v1.2.0 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect diff --git a/_examples/go.sum b/_examples/go.sum index 12f1828..88d9068 100644 --- a/_examples/go.sum +++ b/_examples/go.sum @@ -83,8 +83,8 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds= -github.com/zclconf/go-cty v1.18.0 h1:pJ8+HNI4gFoyRNqVE37wWbJWVw43BZczFo7KUoRczaA= -github.com/zclconf/go-cty v1.18.0/go.mod h1:qpnV6EDNgC1sns/AleL1fvatHw72j+S+nS+MJ+T2CSg= +github.com/zclconf/go-cty v1.18.1 h1:yEGE8M4iIZlyKQURZNb2SnEyZlZHUcBCnx6KF81KuwM= +github.com/zclconf/go-cty v1.18.1/go.mod h1:qpnV6EDNgC1sns/AleL1fvatHw72j+S+nS+MJ+T2CSg= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCTOi1M= diff --git a/go.mod b/go.mod index f46bb99..1d492f0 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/vektah/gqlparser/v2 v2.5.32 // indirect github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect - github.com/zclconf/go-cty v1.18.0 // indirect + github.com/zclconf/go-cty v1.18.1 // indirect github.com/zclconf/go-cty-yaml v1.2.0 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect diff --git a/go.sum b/go.sum index 354aafc..bf06c28 100644 --- a/go.sum +++ b/go.sum @@ -78,8 +78,8 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds= -github.com/zclconf/go-cty v1.18.0 h1:pJ8+HNI4gFoyRNqVE37wWbJWVw43BZczFo7KUoRczaA= -github.com/zclconf/go-cty v1.18.0/go.mod h1:qpnV6EDNgC1sns/AleL1fvatHw72j+S+nS+MJ+T2CSg= +github.com/zclconf/go-cty v1.18.1 h1:yEGE8M4iIZlyKQURZNb2SnEyZlZHUcBCnx6KF81KuwM= +github.com/zclconf/go-cty v1.18.1/go.mod h1:qpnV6EDNgC1sns/AleL1fvatHw72j+S+nS+MJ+T2CSg= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCTOi1M= From f9a0c55ce826247375cadf236742783b5ecabf4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Wed, 22 Apr 2026 06:47:45 -0400 Subject: [PATCH 2/3] fix: extend msgpack .snyk ignore expiry to 2027-01-03 The two msgpack vulnerability ignores (SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACKV5-15702238 and SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACK-15702236) were set to expire 2026-07-03. No upstream fix is available (v5.4.1 is latest). Extended to 2027-01-03 and added last-verified date. Co-Authored-By: Claude Opus 4.6 --- .snyk | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.snyk b/.snyk index 1e5d4ed..f4649fd 100644 --- a/.snyk +++ b/.snyk @@ -24,7 +24,8 @@ ignore: No fix available; msgpack v5.4.1 is the latest version. Transitive dependency of hashicorp/hcl, ariga.io/atlas, entgo.io/ent, zclconf/go-cty, and zclconf/go-cty-yaml. Cannot remove without forking upstream. - expires: 2026-07-03T00:00:00.000Z + Last verified: 2026-04-22. + expires: 2027-01-03T00:00:00.000Z created: 2026-04-03T00:00:00.000Z SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACK-15702236: - '*': @@ -34,7 +35,8 @@ ignore: Transitive dependency of hashicorp/hcl, ariga.io/atlas, entgo.io/ent, zclconf/go-cty, and zclconf/go-cty-yaml. Cannot remove without forking upstream. Duplicate Snyk entry for same CVE under alternate package path. - expires: 2026-07-03T00:00:00.000Z + Last verified: 2026-04-22. + expires: 2027-01-03T00:00:00.000Z created: 2026-04-07T00:00:00.000Z # --- OpenTelemetry SDK vulnerability (not imported; transitive ghost dep via grpc) --- SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758: From 582c4aa3ee1135b36750a4b7c0106fffccb2632c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Wed, 22 Apr 2026 06:48:26 -0400 Subject: [PATCH 3/3] fix: add replace directives for ghost dependency vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add go.mod replace directives to pin patched versions of three ghost transitive dependencies flagged by Snyk: - github.com/go-jose/go-jose/v4: v4.1.3 → v4.1.4 (CVSS 8.7, CWE-248) - golang.org/x/crypto: v0.38.0 → v0.50.0 (CVSS 6.9, CWE-770/CWE-125) - github.com/yuin/goldmark: v1.4.13 → v1.8.2 (CVSS 5.1, CWE-79) These modules appear in the module graph via parent deps (grpc, hcl, tools) but are never imported or compiled. The parent packages are at their latest stable versions and have not yet bumped their minimum requirements. Replace directives survive go mod tidy and cause Snyk to report the patched versions. Note: as a library module, these replace directives only apply to this repo's own CI/tests — consumers' builds are unaffected (Go ignores replace directives from dependencies). Remove once parent packages release versions that require the patched transitive deps. Co-Authored-By: Claude Opus 4.6 --- _examples/go.mod | 6 ++++++ go.mod | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/_examples/go.mod b/_examples/go.mod index 981e5c3..a6085ae 100644 --- a/_examples/go.mod +++ b/_examples/go.mod @@ -49,3 +49,9 @@ require ( ) replace github.com/flume/enthistory => ../. + +replace github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.1.4 + +replace golang.org/x/crypto => golang.org/x/crypto v0.50.0 + +replace github.com/yuin/goldmark => github.com/yuin/goldmark v1.8.2 diff --git a/go.mod b/go.mod index 1d492f0..370ee3d 100644 --- a/go.mod +++ b/go.mod @@ -46,3 +46,9 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) + +replace github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.1.4 + +replace golang.org/x/crypto => golang.org/x/crypto v0.50.0 + +replace github.com/yuin/goldmark => github.com/yuin/goldmark v1.8.2