chore(deps): update module github.com/cli/go-gh/v2 to v2.12.1 [security] #62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
from
e91383a to
fc7b81d
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
from
fc7b81d to
e5997d7
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
2 times, most recently
from
f890552 to
48ea04e
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
from
48ea04e to
e482b5e
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
from
e482b5e to
e5b9d70
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-cli-go-gh-v2-vulnerability
branch
from
e5b9d70 to
c0b07f9
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.0.1->v2.12.1GitHub Vulnerability Alerts
CVE-2024-53859
Summary
A security vulnerability has been identified in
go-ghthat could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.Details
go-ghsources authentication tokens from different environment variables depending on the host involved:GITHUB_TOKEN,GH_TOKENfor GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN,GH_ENTERPRISE_TOKENfor GitHub Enterprise ServerPrior to
2.11.1,auth.TokenForHostcould source a token from theGITHUB_TOKENenvironment variable for a host other than GitHub.com or ghe.com when within a codespace.In
2.11.1,auth.TokenForHostwill only source a token from theGITHUB_TOKENenvironment variable for GitHub.com or ghe.com hosts.Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
go-ghto2.11.1CVE-2025-48938
Summary
A security vulnerability has been identified in
go-ghwhere an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.Details
The GitHub CLI and CLI extensions allow users to transition from their terminal for a variety of use cases through the
Browsercapability ingithub.com/cli/go-gh/v2/pkg/browser:-w, --webflag, GitHub CLI users can view GitHub repositories, issues, pull requests, and more using their web browsergh codespacecommand set, GitHub CLI users can transition to Visual Studio Code to work with GitHub CodespacesThis is done by using URLs provided through API responses from authenticated GitHub hosts when users execute
ghcommands.Prior to
2.12.1,Browser.Browse()would attempt to open the provided URL using a variety of OS-specific approaches regardless of the scheme. An attacker-controlled GitHub Enterprise Server could modify API responses to use a specially tailored local executable path instead of HTTP URLs to resources. This could allow the attacker to execute arbitrary executables on the user's machine.In
2.12.1,Browser.Browse()has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs:http://,https://,vscode://,vscode-insiders://protocols are supportedfile://protocol are unsupportedURLs without protocols will be browsable if none of these other conditions apply.
As we have more information about use cases, maintainers can expand these capabilities for an improved user experience that allows configuring allowed URL schemes and/or prompt the user for an unexpected user case and confirming whether to continue.
Impact
Successful exploitation could cause users of the attacker-controlled GitHub Enterprise Server to execute arbitrary commands.
Remediation and Mitigation
go-ghto2.12.1auth.TokenForHostviolates GitHub host security boundary when sourcing authentication token within a codespaceCVE-2024-53859 / GHSA-55v3-xh23-96gh / GO-2024-3295
More information
Details
Summary
A security vulnerability has been identified in
go-ghthat could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.Details
go-ghsources authentication tokens from different environment variables depending on the host involved:GITHUB_TOKEN,GH_TOKENfor GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN,GH_ENTERPRISE_TOKENfor GitHub Enterprise ServerPrior to
2.11.1,auth.TokenForHostcould source a token from theGITHUB_TOKENenvironment variable for a host other than GitHub.com or ghe.com when within a codespace.In
2.11.1,auth.TokenForHostwill only source a token from theGITHUB_TOKENenvironment variable for GitHub.com or ghe.com hosts.Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
go-ghto2.11.1Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh
CVE-2024-53859 / GHSA-55v3-xh23-96gh / GO-2024-3295
More information
Details
Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
CVE-2025-48938 / GHSA-g9f5-x53j-h563 / GO-2025-3732
More information
Details
Summary
A security vulnerability has been identified in
go-ghwhere an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.Details
The GitHub CLI and CLI extensions allow users to transition from their terminal for a variety of use cases through the
Browsercapability ingithub.com/cli/go-gh/v2/pkg/browser:-w, --webflag, GitHub CLI users can view GitHub repositories, issues, pull requests, and more using their web browsergh codespacecommand set, GitHub CLI users can transition to Visual Studio Code to work with GitHub CodespacesThis is done by using URLs provided through API responses from authenticated GitHub hosts when users execute
ghcommands.Prior to
2.12.1,Browser.Browse()would attempt to open the provided URL using a variety of OS-specific approaches regardless of the scheme. An attacker-controlled GitHub Enterprise Server could modify API responses to use a specially tailored local executable path instead of HTTP URLs to resources. This could allow the attacker to execute arbitrary executables on the user's machine.In
2.12.1,Browser.Browse()has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs:http://,https://,vscode://,vscode-insiders://protocols are supportedfile://protocol are unsupportedURLs without protocols will be browsable if none of these other conditions apply.
As we have more information about use cases, maintainers can expand these capabilities for an improved user experience that allows configuring allowed URL schemes and/or prompt the user for an unexpected user case and confirming whether to continue.
Impact
Successful exploitation could cause users of the attacker-controlled GitHub Enterprise Server to execute arbitrary commands.
Remediation and Mitigation
go-ghto2.12.1Severity
Moderate
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
CVE-2025-48938 / GHSA-g9f5-x53j-h563 / GO-2025-3732
More information
Details
GitHub CLI and extensions can execute arbitrary commands on compromised GitHub Enterprise Server in github.com/cli/go-gh
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
cli/go-gh (github.com/cli/go-gh/v2)
v2.12.1Compare Source
Security
A security vulnerability has been identified in
go-ghwhere an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.For more information, see GHSA-g9f5-x53j-h563
Full Changelog: cli/go-gh@v2.12.0...v2.12.1
v2.12.0Compare Source
Introducing experimental support for rendering markdown with customizable, accessible colors
Users with low vision or color blindness rely upon the terminal's ability to change how colors appear, however this requires CLIs to use a limited set of colors:
The markdown rendered for GitHub CLI and extensions defaults to 8-bit colors that users cannot easily customize in this way.
Now, users can force rendered markdown to use customizable, accessible colors by doing one of the following:
Set
GH_ACCESSIBLE_COLORSenvironment variable to a truthy valueexport GH_ACCESSIBLE_COLORS=1Set
accessible_colorsconfiguration settinggh config set accessible_colors enabledExperimental.accessible.markdown.colors.mp4
Users with a custom
charmbracelet/glamourstyle will continue to have markdown rendered using it.For more information, see https://github.com/cli/go-gh/pull/186
Introducing new experimental
github.com/cli/go-gh/v2/pkg/xpackagecli/go-ghprovides capabilities used by both the GitHub CLI and CLI extensions. Some of these packages are stable, however some like the new experimental markdown support are not.The
github.com/cli/go-gh/v2/pkg/xpackage has been created to contain experimental features that are subject to change without notice.Introducing new string matcher functions for Go templates
The following string matcher functions from Masterminds/sprig have been incorporated for more robust Go template support in GitHub CLI and CLI extensions:
containshasPrefixhasSuffixregexMatchFor more information, see https://github.com/cli/cli/issues/6370 and sprig documentation
What's Changed
✨ Features
New Contributors
Full Changelog: cli/go-gh@v2.11.2...v2.12.0
v2.11.2Compare Source
What's Changed
New Contributors
Full Changelog: cli/go-gh@v2.11.1...v2.11.2
v2.11.1Compare Source
Security
A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
For more information, see GHSA-55v3-xh23-96gh
Full Changelog: cli/go-gh@v2.11.0...v2.11.1
v2.11.0Compare Source
What's Changed
New Contributors
Full Changelog: cli/go-gh@v2.10.0...v2.11.0
v2.10.0Compare Source
What's Changed
Full Changelog: cli/go-gh@v2.9.0...v2.10.0
v2.9.0Compare Source
What's Changed
lipgloss.Widthto calculateDisplayWidthby @maaslalani in https://github.com/cli/go-gh/pull/159New Contributors
Full Changelog: cli/go-gh@v2.8.0...v2.9.0
v2.8.0Compare Source
What's Changed
Full Changelog: cli/go-gh@v2.7.0...v2.8.0
v2.7.0Compare Source
What's Changed
Full Changelog: cli/go-gh@v2.6.0...v2.7.0
v2.6.0Compare Source
What's Changed
Full Changelog: cli/go-gh@v2.5.0...v2.6.0
v2.5.0Compare Source
What's Changed
New Contributors
Full Changelog: cli/go-gh@v2.4.0...v2.5.0
v2.4.0Compare Source
What's Changed
WithThemeby @y-yagi in https://github.com/cli/go-gh/pull/134New Contributors
Full Changelog: cli/go-gh@v2.3.0...v2.4.0
v2.3.0: go-gh 2.3.0Compare Source
What's Changed
Full Changelog: cli/go-gh@v2.2.0...v2.3.0
v2.2.0: go-gh 2.2.0Compare Source
What's Changed
CacheDirfunction toconfigpackage by @ffalor in https://github.com/cli/go-gh/pull/126asciisanitizerwith validU+FFFDcharacter being reported as an error by @yin1999 in https://github.com/cli/go-gh/pull/128New Contributors
Full Changelog: cli/go-gh@v2.1.0...v2.2.0
v2.1.0: go-gh 2.1.0Compare Source
What's Changed
New Contributors
Full Changelog: cli/go-gh@v2.0.1...v2.1.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.