sec(deps): update go-chi/chi to v5 by caarlos0 · Pull Request #2563 · sigstore/rekor

caarlos0 · 2025-08-05T14:27:38Z

Summary

There's a vulnerability in go-chi v4, and the only fix is to update to v5.
Seemed like a low lift, so I did it.

see https://pkg.go.dev/vuln/GO-2025-3770
see GHSA-vrw8-fxc6-2r93

Release Note

NONE

Documentation

cpanato · 2025-08-05T14:42:40Z

Please sign the dco

codecov · 2025-08-05T14:48:25Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.04%. Comparing base (488eb97) to head (12222a4).
⚠️ Report is 471 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2563       +/-   ##
===========================================
- Coverage   66.46%   25.04%   -41.42%     
===========================================
  Files          92      189       +97     
  Lines        9258    24424    +15166     
===========================================
- Hits         6153     6117       -36     
- Misses       2359    17544    +15185     
- Partials      746      763       +17

Flag	Coverage Δ
e2etests	`46.88% <ø> (-0.68%)`	⬇️
unittests	`16.23% <ø> (-31.46%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

see GO-2025-3770 see GHSA-vrw8-fxc6-2r93 Signed-off-by: Carlos Alexandro Becker <[email protected]>

caarlos0 · 2025-08-05T19:51:11Z

@cpanato done!

caarlos0 · 2025-08-06T12:21:51Z

thanks @cpanato!

is there a timeline on the next release?

bobcallaway · 2025-08-06T12:24:32Z

thanks @cpanato!

is there a timeline on the next release?

I looked at the CVE and while yes, we imported the package referenced, we do not use the code path that contains the vulnerability. I'm not sure there is a huge rush to push out a new release here, unless I'm missing something?

cpanato · 2025-08-06T12:41:49Z

cc @haydentherapper

caarlos0 · 2025-08-06T12:49:25Z

@bobcallaway my understanding it's that not a rush either. Only downside is scanners marking it as possibly vulnerable (e.g. rekor is imported by cosign, which is imported by goreleaser, which is how I got here 😂)

bobcallaway · 2025-08-06T14:43:55Z

@caarlos0 that makes sense (and thanks for goreleaser - we love it!) we have a couple other changes we'd like to get in soon and should cut another release in the next couple weeks.

caarlos0 · 2025-08-07T04:03:41Z

cool, I'll keep an eye out for it.

thanks for cosign & co, I love it :)

GoReleaser itself is not affected by this, but govulncheck keeps complaining. I upgrade go-chi in rekor in sigstore/rekor#2563, but they haven't released it yet. This updates to rekor@main. Signed-off-by: Carlos Alexandro Becker <[email protected]>

caarlos0 requested review from a team as code owners August 5, 2025 14:27

sec(deps): update go-chi/chi to v5

12222a4

see GO-2025-3770 see GHSA-vrw8-fxc6-2r93 Signed-off-by: Carlos Alexandro Becker <[email protected]>

caarlos0 force-pushed the chiv5 branch from df314e4 to 12222a4 Compare August 5, 2025 17:41

cpanato approved these changes Aug 6, 2025

View reviewed changes

cpanato merged commit 0b80f3f into sigstore:main Aug 6, 2025
16 checks passed

caarlos0 deleted the chiv5 branch August 6, 2025 12:23

caarlos0 mentioned this pull request Aug 15, 2025

sec: update rekor to main for GHSA-vrw8-fxc6-2r93 goreleaser/goreleaser#5990

Merged

BrewTestBot mentioned this pull request Aug 29, 2025

rekor-cli 1.4.1 Homebrew/homebrew-core#235508

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sec(deps): update go-chi/chi to v5#2563

sec(deps): update go-chi/chi to v5#2563
cpanato merged 1 commit intosigstore:mainfrom
caarlos0:chiv5

caarlos0 commented Aug 5, 2025 •

edited

Loading

Uh oh!

cpanato commented Aug 5, 2025

Uh oh!

codecov bot commented Aug 5, 2025 •

edited

Loading

Uh oh!

caarlos0 commented Aug 5, 2025

Uh oh!

Uh oh!

caarlos0 commented Aug 6, 2025

Uh oh!

bobcallaway commented Aug 6, 2025

Uh oh!

cpanato commented Aug 6, 2025

Uh oh!

caarlos0 commented Aug 6, 2025

Uh oh!

bobcallaway commented Aug 6, 2025

Uh oh!

caarlos0 commented Aug 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

caarlos0 commented Aug 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Release Note

Documentation

Uh oh!

cpanato commented Aug 5, 2025

Uh oh!

codecov bot commented Aug 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

caarlos0 commented Aug 5, 2025

Uh oh!

Uh oh!

caarlos0 commented Aug 6, 2025

Uh oh!

bobcallaway commented Aug 6, 2025

Uh oh!

cpanato commented Aug 6, 2025

Uh oh!

caarlos0 commented Aug 6, 2025

Uh oh!

bobcallaway commented Aug 6, 2025

Uh oh!

caarlos0 commented Aug 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

caarlos0 commented Aug 5, 2025 •

edited

Loading

codecov bot commented Aug 5, 2025 •

edited

Loading