Skip to content

fix(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security] (alauda-v2.5.3)#41

Open
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v2.5.3from
renovate/alauda-v2.5.3-go-github.com-in-toto-in-toto-golang-vulnerability
Open

fix(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security] (alauda-v2.5.3)#41
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v2.5.3from
renovate/alauda-v2.5.3-go-github.com-in-toto-in-toto-golang-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented May 13, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/in-toto/in-toto-golang v0.9.0 -> v0.11.0 age confidence

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

  • CVSS Score: 4.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

v0.10.0

Compare Source

What's Changed

New Contributors

Full Changelog: in-toto/in-toto-golang@v0.9.0...v0.10.0

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

alaudabot
alaudabot reviewed May 13, 2026
View reviewed changes

@alaudabot alaudabot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR updates the github.com/in-toto/in-toto-golang dependency from v0.9.0 to v0.11.0 to address security vulnerability GHSA-pmwq-pjrm-6p5r (inconsistent negation behavior in character classes).

Verdict: ✅ Approved

  • No critical issues found
  • This is a straightforward dependency security update
  • Changes are limited to go.mod and go.sum (3 lines added, 3 lines deleted)
  • No breaking changes identified in the upstream changelog

The PR is ready to merge.

@alaudabot

alaudabot commented May 13, 2026

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/cosign/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-13 02:45:55 UTC

Summary

This PR updates the github.com/in-toto/in-toto-golang dependency from v0.9.0 to v0.11.0 to address a security vulnerability (GHSA-pmwq-pjrm-6p5r). The vulnerability involves inconsistent negation behavior in character classes between in-toto-golang and in-toto-python. This is a straightforward dependency version bump with no code changes in the repository.

Review Statistics

Category Count
Critical Issues 0
Warnings 0
Suggestions 0
Files Reviewed 2

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None - this is a dependency security update with no code changes in this repository.

Warnings

Issues that SHOULD be addressed but are not blocking

None.

Suggestions

Recommendations for improvement (nice to have)

None - this is a dependency-only change (go.mod/go.sum updates) with no application code to review.

Positive Feedback

  • Good security practice: Addressing known vulnerability GHSA-pmwq-pjrm-6p5r promptly
  • Clean, minimal change: Only 3 lines added and 3 lines deleted across 2 files
  • Proper dependency management: Using go modules with versioned dependencies
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: a5ba7c9bfeb72d3920971664d476ed377fcc5b94
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@alaudabot

alaudabot commented Jun 15, 2026

Copy link
Copy Markdown

🚨 Stale Pull Request Warning

This pull request has been inactive for 33 days.

Automated Actions Schedule:

  • ⚠️ Warning: After 30 days (now)
  • 🔒 Auto-close: After 60 days
  • 🗑️ Branch deletion: After 90 days (if not protected)

To keep this PR active:

  • Add new commits
  • Reply to this comment
  • Request reviews

Protected branches (won't be deleted): main,release-*,alauda-*

This is an automated message. Reply to this comment to reset the inactivity timer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@yuzichen12123 yuzichen12123

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alaudabot @yuzichen12123