Skip to content

fix(ci): unblock PR queue — suppress gosu CVE-2026-27145 + pydantic-settings 2.14.2#249

Merged
gerfru merged 2 commits into
mainfrom
fix/trivy-gosu-cve-2026-27145
Jul 9, 2026
Merged

fix(ci): unblock PR queue — suppress gosu CVE-2026-27145 + pydantic-settings 2.14.2#249
gerfru merged 2 commits into
mainfrom
fix/trivy-gosu-cve-2026-27145

Conversation

@gerfru

@gerfru gerfru commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Problem

The required CI OK (All Green Gate) is red on the whole open dependency-PR queue, and — because branch protection is strict (require up-to-date) with admin enforcement — no single existing PR can pass the gate alone, since main currently fails two independent checks:

  1. Trivy (backup image): usr/local/bin/gosuCVE-2026-27145 (HIGH, Go stdlib crypto/x509 DoS). Same accepted-risk class as the 15 gosu CVEs already in backup/.trivyignore — unused binary from upstream postgres:16-alpine, fix needs a newer Go toolchain only upstream controls.
  2. Security (pip-audit): pydantic-settings 2.14.1GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2.

Change

This PR fixes both so the gate can go green and the queue unblocks:

Supersedes

Effect

Once merged, main passes both checks; the remaining Renovate/Dependabot PRs (#237, #239, #240, #241, #242, #246, #247, #248) rebase to green.

🤖 Generated with Claude Code

gerfru and others added 2 commits July 9, 2026 10:21
New Go stdlib CVE (crypto/x509 DoS, HIGH) in the pre-compiled gosu binary
shipped by upstream postgres:16-alpine — same accepted-risk class as the
15 CVEs already listed. gosu is unused (backup runs as postgres user),
and the fix requires a newer Go toolchain only the upstream maintainers
control. This unblocks the "CI OK" gate across the open dependency PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gerfru gerfru changed the title fix(ci): suppress gosu CVE-2026-27145 in backup Trivy scan fix(ci): unblock PR queue — suppress gosu CVE-2026-27145 + pydantic-settings 2.14.2 Jul 9, 2026
@gerfru gerfru merged commit dea2a1b into main Jul 9, 2026
13 checks passed
@gerfru gerfru deleted the fix/trivy-gosu-cve-2026-27145 branch July 9, 2026 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant