Skip to content

Fix Dependabot security alerts: upgrade excelize, sigstore-go, markdown-it, linkify-it#9695

Open
himadrisingh wants to merge 2 commits into
mainfrom
himadri/dependabot-security-upgrades
Open

Fix Dependabot security alerts: upgrade excelize, sigstore-go, markdown-it, linkify-it#9695
himadrisingh wants to merge 2 commits into
mainfrom
himadri/dependabot-security-upgrades

Conversation

@himadrisingh

Copy link
Copy Markdown
Contributor

Resolve four open Dependabot security alerts by upgrading to patched versions.

  • github.com/xuri/excelize/v2 2.7.1 → 2.11.0 — CVE-2026-54063 (high: worksheet parser OOM/panic DoS)
  • github.com/sigstore/sigstore-go 1.1.4 → 1.2.0 — CVE-2026-49834 (medium: multi-log threshold bypass); indirect, test-only path, but bumping it cascaded compatible minor bumps of grpc, otel, and several go-openapi modules
  • markdown-it → 14.3.0 via root overridesCVE-2026-48988 (medium: smartquotes quadratic-complexity ReDoS)
  • linkify-it → 5.0.2 via root overridesCVE-2026-48801 (high: match scan-loop quadratic-complexity ReDoS)

Verified with go build ./... and go vet ./runtime/pkg/driverutil/; npm tree resolves to the patched versions with no remaining override conflicts.

Checklist:

  • Covered by tests
  • Ran it and it works as intended
  • Reviewed the diff before requesting a review
  • Checked for unhandled edge cases
  • Linked the issues it closes
  • Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
  • Intend to cherry-pick into the release branch
  • I'm proud of this work!

Developed in collaboration with Claude Code

…wn-it, linkify-it

- github.com/xuri/excelize/v2 v2.7.1 -> v2.11.0 (CVE-2026-54063, high: worksheet parser OOM/panic DoS)
- github.com/sigstore/sigstore-go v1.1.4 -> v1.2.0 (CVE-2026-49834, medium: multi-log threshold bypass)
- markdown-it -> 14.3.0 via override (CVE-2026-48988, medium: smartquotes quadratic-complexity ReDoS)
- linkify-it -> 5.0.2 via override (CVE-2026-48801, high: match scan-loop quadratic-complexity ReDoS)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant