Skip to content

chore(deps): bump github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1#294

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/oapi-codegen/oapi-codegen/v2-2.7.1
Open

chore(deps): bump github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1#294
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/oapi-codegen/oapi-codegen/v2-2.7.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1.

Release notes

Sourced from github.com/oapi-codegen/oapi-codegen/v2's releases.

Security fix for Go code injection

This is a security fix for a code injection vulnerability in v2.7.0, please see:

GHSA-rjwr-m7qx-3fjr

[!NOTE] A vulnerability like this requires that it is missed in code review and that you then call the malicious method.

Using an init() function could be enough to not require a direct call to the code, and instead rely on you importing the package, but either way, code review should be performed before any oapi-codegen generated code is executed.

We strongly recommend all users to be reviewing changes to their generated code before they execute anything within it, to protect against supply chain attacks or malicious injected code.

This is also why we recommend oapi-codegen generated code is committed to source control.

We're more strict about escaping strings passed into the OpenAPI specification, so that people can't inject Go code into generated code.

The problem was that it was possible to craft a description for server URL's which would emit arbitrary Go code, so if an attacker controlled your specification, they could inject Go code into your generated code which could do something malicious.

v2.7.0: Squashing bugs, many bugs (and adding some features)

Many improvements and even more bug fixes

This v2.7.0 release of oapi-codegen contains quite a bit of internal refactoring, focused on our most historically fragile code paths, which relate to the aggregate types (allOf/anyOf/oneOf), $ref to external specs, enums, and the spec traversal logic missing quite a few leaf nodes where models should have been generated, but were skipped.

The biggest changes are explicitly described in the sections below, and the full list of commits is at the bottom.

Thank you to all contributors, we've been going through all past PR's and updating them and merging where we can, and thanks to all our users for reporting issues that you hit.

I've (@​mromaszewicz) used a lot of LLM help here to scrub through old issues and do some deep internal refactoring to address common problem areas. I intend to continue doing this, since the conditional generation logic is getting quite complicated. When I originally released oapi-codegen, the use case was much simpler, all the models were under #/components/schemas, and all the references to them were in the requests, responses, etc. I never imagine how many things would be external references or unions, and how many complex OpenAPI specifications people would be generating code for. The initial design was never flexible enough to handle that, so ongoing bug fixes are getting increasingly complex due to edge cases. This version has a lot of internal changes you won't see as a user, but the way we handle type generation internally is unifying lots of copy/paste re-implementations into reusable code for consistency. Most of these changes can be done transparently, but some can't, so, onto the changes:

Code generation changes which might require some changes on your end

This release contains three changes, all very narrow in scope, which will require some manual adjustment of your own code. We've decided that these are small enough and uncommon enough not to require opt-in, which causes internal complexity. It's always a judgment call with these. If we got it wrong, we're happy to revisit it in a maintenance release.

Strict-server external response refs require strict-server generation in both packages (#2357)

If your strict-server spec uses an external $ref to a components/responses/... defined in another spec, that other spec must also be generated with strict-server: true. Add it to the source spec's config and regenerate:

# config for the spec being $ref'd
generate:
  models: true
  strict-server: true   # now required when imported by a strict-server spec

This restores the v2.0.0 behavior that lets you cast response models across package boundaries — the standard pattern for sharing error models (e.g. a common 400) across services. PR #1387 had silently changed the embedded type from N400JSONResponse to the bare externalRef0.N400, so the local and external response structs no longer had matching types and casts stopped compiling.

Many more anonymous inner schemas are now hoisted into top level schemas

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [github.com/oapi-codegen/oapi-codegen/v2](https://github.com/oapi-codegen/oapi-codegen) from 2.5.0 to 2.7.1.
- [Release notes](https://github.com/oapi-codegen/oapi-codegen/releases)
- [Commits](oapi-codegen/oapi-codegen@v2.5.0...v2.7.1)

---
updated-dependencies:
- dependency-name: github.com/oapi-codegen/oapi-codegen/v2
  dependency-version: 2.7.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 17, 2026
@github-actions

Copy link
Copy Markdown

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 4 0 0 0.09s
✅ API spectral 2 0 0 3.27s
✅ COPYPASTE jscpd yes no no 2.09s
✅ DOCKERFILE hadolint 1 0 0 0.16s
✅ GO golangci-lint yes yes no no 58.46s
✅ GO revive yes no no 1.57s
✅ MARKDOWN markdownlint 2 0 0 0 0.66s
✅ MARKDOWN markdown-table-formatter 2 0 0 0 0.28s
✅ REPOSITORY checkov yes no no 42.16s
✅ REPOSITORY gitleaks yes no no 0.41s
✅ REPOSITORY git_diff yes no no 0.01s
⚠️ REPOSITORY grype yes 26 no 84.68s
✅ REPOSITORY secretlint yes no no 0.74s
✅ REPOSITORY syft yes no no 3.74s
❌ REPOSITORY trivy yes 1 no 25.45s
✅ REPOSITORY trivy-sbom yes no no 3.13s
✅ REPOSITORY trufflehog yes no no 5.0s
✅ SPELL lychee 14 0 0 0.1s
✅ YAML prettier 12 0 0 0 0.83s
✅ YAML v8r 12 0 0 14.02s
✅ YAML yamllint 12 0 0 0.74s

Detailed Issues

❌ REPOSITORY / trivy - 1 error
-------------------------->________________] 65.40% 57.57 MiB p/s ETA 0s91.02 MiB / 100.47 MiB [------------------------------------------>____] 90.59% 57.57 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 60.32 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 60.32 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 60.32 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 56.42 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 56.42 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 56.42 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 52.78 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 52.78 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 52.78 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 49.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 49.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 49.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 46.19 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 46.19 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 46.19 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 43.21 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 43.21 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 43.21 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 40.43 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 40.43 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 40.43 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 33.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 33.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 33.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 30.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 30.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 30.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 28.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 28.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 28.96 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 27.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 27.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 27.09 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 25.35 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 25.35 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 25.35 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 23.71 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 23.71 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 23.71 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 22.18 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 22.18 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 22.18 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 20.75 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 20.75 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 20.75 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 19.41 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 19.41 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 19.41 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 18.16 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 18.16 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 18.16 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------->] 100.00% 16.99 MiB p/s ETA 0s100.47 MiB / 100.47 MiB [-------------------------------------------------] 100.00% 7.92 MiB p/s 13s2026-07-17T18:54:52Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-07-17T18:54:52Z	INFO	[vuln] Vulnerability scanning is enabled
2026-07-17T18:54:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-07-17T18:54:52Z	INFO	[checks-client] Need to update the checks bundle
2026-07-17T18:54:52Z	INFO	[checks-client] Downloading the checks bundle...
234.65 KiB / 234.65 KiB [--------------------------------------------------------->] 100.00% ? p/s ?234.65 KiB / 234.65 KiB [-----------------------------------------------] 100.00% 3.21 MiB p/s 300ms2026-07-17T18:55:02Z	INFO	Number of language-specific files	num=1
2026-07-17T18:55:02Z	INFO	[gomod] Detecting vulnerabilities...
2026-07-17T18:55:02Z	INFO	Detected config files	num=2
2026-07-17T18:55:02Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.

Report Summary

┌──────────────────┬────────────┬─────────────────┬───────────────────┐
│      Target      │    Type    │ Vulnerabilities │ Misconfigurations │
├──────────────────┼────────────┼─────────────────┼───────────────────┤
│ go.mod           │   gomod    │       16        │         -         │
├──────────────────┼────────────┼─────────────────┼───────────────────┤
│ Dockerfile       │ dockerfile │        -        │         0         │
├──────────────────┼────────────┼─────────────────┼───────────────────┤
│ Dockerfile.local │ dockerfile │        -        │         0         │
└──────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


go.mod (gomod)
==============
Total: 16 (UNKNOWN: 3, LOW: 0, MEDIUM: 4, HIGH: 9, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2026-39828 │ HIGH     │ fixed    │ v0.51.0           │ 0.52.0        │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh:            │
│                     │                │          │          │                   │               │ Unauthorized command execution via discarded SSH permissions │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39828                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39829 │          │          │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │          │                   │               │ Service via crafted public key with excessive parameters...  │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39829                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39830 │          │          │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │          │                   │               │ Service via resource leak from unsolicited SSH responses...  │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39830                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39831 │          │          │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security   │
│                     │                │          │          │                   │               │ key bypass due to missing user presence check                │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39831                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39832 │          │          │                   │               │ golang.org/x/crypto/ssh/agent:                               │
│                     │                │          │          │                   │               │ golang.org/x/crypto/ssh/agent: Security bypass due to        │
│                     │                │          │          │                   │               │ improper handling of key restrictions                        │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39832                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39835 │          │          │                   │               │ golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh:    │
│                     │                │          │          │                   │               │ Denial of Service via crafted SSH certificate                │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39835                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-42508 │          │          │                   │               │ golang.org/x/crypto/ssh/knownhosts: golang:                  │
│                     │                │          │          │                   │               │ golang.org/x/crypto/ssh/knownhosts: Revocation bypass via    │
│                     │                │          │          │                   │               │ unchecked SignatureKey                                       │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42508                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46595 │          │          │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh:            │
│                     │                │          │          │                   │               │ Authorization bypass due to skipped source-address           │
│                     │                │          │          │                   │               │ validation                                                   │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46595                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46597 │          │          │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │          │                   │               │ Service via crafted AES-GCM packet decoder inputs            │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46597                   │
│                     ├────────────────┼──────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39827 │ MEDIUM   │          │                   │               │ golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh:    │
│                     │                │          │          │                   │               │ Denial of Service via repeated rejected channel openings     │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39827                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39833 │          │          │                   │               │ golang.org/x/crypto/ssh/agent:                               │
│                     │                │          │          │                   │               │ golang.org/x/crypto/ssh/agent: Security bypass due to        │
│                     │                │          │          │                   │               │ unenforced key confirmation                                  │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39833                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39834 │          │          │                   │               │ golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh:    │
│                     │                │          │          │                   │               │ Denial of Service due to integer overflow in SSH...          │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39834                   │
│                     ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46598 │          │          │                   │               │ golang.org/x/crypto/ssh/agent: golang:                       │
│                     │                │          │          │                   │               │ golang.org/x/crypto/ssh/agent: Denial of Service via         │
│                     │                │          │          │                   │               │ malformed input                                              │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46598                   │
│                     ├────────────────┼──────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                     │ GO-2026-5932   │ UNKNOWN  │ affected │                   │               │ The golang.org/x/crypto/openpgp package is unmaintained,     │
│                     │                │          │          │                   │               │ unsafe by design, and has known security...                  │
├─────────────────────┼────────────────┤          ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2026-46600 │          │ fixed    │ v0.55.0           │ 0.56.0        │ Parsing an invalid SVCB or HTTPS RR can panic in             │
│                     │                │          │          │                   │               │ golang.org/x/net/dns/dnsmessage                              │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46600                   │
├─────────────────────┼────────────────┤          │          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text   │ CVE-2026-56852 │          │          │ v0.37.0           │ 0.39.0        │ Infinite loop on invalid input in golang.org/x/text          │
│                     │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-56852                   │
└─────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.72.0 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 20000 characters out of 20647)
⚠️ REPOSITORY / grype - 26 errors
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME                 INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS         RISK  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-vgwf-h737-ff37  Critical  0.5% (41st)  0.5   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-f5wc-c3c7-36mc  Critical  0.5% (40th)  0.5   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-5cgq-3rg8-m6cv  Critical  0.5% (38th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5006         High      0.5% (40th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-rm3j-f69w-wqmq  Critical  0.5% (37th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5020         Critical  0.5% (37th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-x527-x647-q7gg  Critical  0.4% (35th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5017         High      0.5% (41st)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5021         High      0.5% (38th)  0.4   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-89gr-r52h-f8rx  Critical  0.4% (29th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5019         Critical  0.4% (29th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-jppx-rxg9-jmrx  Critical  0.4% (28th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5005         Critical  0.4% (28th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5023         High      0.4% (35th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-w879-237q-wc7r  High      0.4% (33rd)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5018         High      0.4% (33rd)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5015         High      0.4% (31st)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-q4h4-gmj2-qvw2  High      0.4% (28th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5013         High      0.4% (28th)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5014         High      0.3% (23rd)  0.3   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-78mq-xcr3-xm33  Medium    0.4% (31st)  0.2   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-45gg-vh54-h5m9  Medium    0.3% (23rd)  0.2   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-9m57-25v3-79x9  Medium    0.3% (23rd)  0.2   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5033         Medium    0.3% (23rd)  0.2   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GHSA-qpw4-5x99-6vjp  Medium    0.2% (9th)   0.1   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5016         Medium    0.2% (9th)   0.1   
golang.org/x/crypto  v0.51.0              go-module  GO-2026-5932         Unknown   N/A          N/A
[0084] ERROR discovered vulnerabilities at or above the severity threshold

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,API_SPECTRAL,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant