Skip to content

Comments

Fix CVEs: upgrade go-gh v2 and cli/cli v2#112

Merged
octosteve merged 2 commits intomainfrom
octosteve/update-cli-dep-to-v2
Jan 9, 2026
Merged

Fix CVEs: upgrade go-gh v2 and cli/cli v2#112
octosteve merged 2 commits intomainfrom
octosteve/update-cli-dep-to-v2

Conversation

@octosteve
Copy link
Collaborator

@octosteve octosteve commented Jan 9, 2026

Updates vulnerable CLI dependencies and keeps the project building:\n\n- Upgrade github.com/cli/go-gh to v2.11.1 (CVE-2024-53859) and migrate imports/API usage to go-gh/v2\n- Upgrade github.com/cli/cli/v2 to v2.63.1 (covers CVE-2024-54132 and CVE-2024-52308; also above the fixed boundary for CVE-2024-53858)\n- Minor URL helper tweak to satisfy go vet after dependency upgrades\n\nValidation: go test ./...

@octosteve octosteve requested a review from a team as a code owner January 9, 2026 20:55
Copilot AI review requested due to automatic review settings January 9, 2026 20:55
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades vulnerable CLI dependencies to address multiple CVEs, updating both go-gh (v1.2.1 → v2.11.1) and cli/cli (v2.24.3 → v2.63.1). The changes include migrating import paths to the v2 module, updating API usage to accommodate breaking changes (RESTClient now returns a pointer type), and fixing URL formatting issues revealed by stricter compiler checks.

Key changes:

  • Dependency upgrades to fix CVE-2024-53859, CVE-2024-54132, CVE-2024-52308, and CVE-2024-53858
  • Migration of all imports from github.com/cli/go-gh to github.com/cli/go-gh/v2
  • API changes: gh.RESTClient(nil)api.DefaultRESTClient() returning *api.RESTClient
  • URL helper fixes in classroom.go to use proper string formatting

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated no comments.

Show a summary per file
File Description
go.mod Updated dependency versions and Go version requirements
go.sum Updated checksums for new dependency versions
pkg/classroom/http.go Changed RESTClient parameter types from value to pointer
pkg/classroom/http_test.go Updated to use api.DefaultRESTClient()
pkg/classroom/classroom.go Fixed URL formatting to eliminate unnecessary fmt.Sprintf calls
cmd/gh-classroom//.go Updated imports and client initialization across all command files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

smashwilson
smashwilson approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@smashwilson smashwilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the changes look fairly rote to me 👍🏻 . As long as the tests are green this should do it.

@octosteve
Copy link
Collaborator Author

octosteve commented Jan 9, 2026

@smashwilson Also did some manual testing to be sure but it was pretty straight forward.

@octosteve octosteve merged commit 8deaaaa into main Jan 9, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@smashwilson smashwilson smashwilson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@octosteve @smashwilson