Skip to content

Upgrade mapstructure to fix information disclosure vulnerability#140

Merged
clcollins merged 2 commits intomainfrom
fix/mapstructure-vulnerability
Apr 4, 2026
Merged

Upgrade mapstructure to fix information disclosure vulnerability#140
clcollins merged 2 commits intomainfrom
fix/mapstructure-vulnerability

Conversation

@clcollins
Copy link
Copy Markdown
Owner

@clcollins clcollins commented Apr 4, 2026
edited
Loading

Summary

  • Upgrade github.com/go-viper/mapstructure/v2 from v2.2.1 to v2.5.0
  • Resolves Dependabot alerts for GHSA-fv92-fjc5-jj9h (medium severity)
  • Sensitive data could leak into error log messages when processing malformed input
  • This is an indirect dependency pulled in by spf13/viper

Test plan

  • golangci-lint run passes (0 issues)
  • go test ./... passes (all packages)
  • Dependabot alerts auto-close after merge

🤖 Generated with Claude Code

@clcollins @claude
Upgrade mapstructure to fix information disclosure vulnerability
5e4f9ce 
Upgrade github.com/go-viper/mapstructure/v2 from v2.2.1 to v2.5.0 to
resolve Dependabot alerts #5 and #6 (medium severity). Sensitive data
could leak into error log messages when processing malformed input.

Created with assistance from Claude 🤖 <claude@anthropic.com>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christopher Collins <collins.christopher@gmail.com>
@clcollins clcollins requested a review from Copilot April 4, 2026 20:54
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the indirect Go dependency github.com/go-viper/mapstructure/v2 to a patched release to address an information-disclosure vulnerability flagged by Dependabot.

Changes:

  • Bump github.com/go-viper/mapstructure/v2 from v2.2.1 to v2.5.0 (indirect).
  • Update go.sum checksums accordingly.
  • Add a plan document describing the vulnerability and upgrade steps.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
go.mod Updates the indirect mapstructure/v2 requirement to v2.5.0.
go.sum Refreshes module checksums for the updated dependency version.
docs/plans/fix-mapstructure-vulnerability.md Documents context, affected versions, and verification steps for the upgrade.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@clcollins @claude
Address Copilot review: use GHSA identifiers instead of issue notation
862a949 
Replace ambiguous Dependabot alert #N references with GHSA identifiers
to avoid rendering as issue/PR links.

Created with assistance from Claude 🤖 <claude@anthropic.com>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christopher Collins <collins.christopher@gmail.com>
@clcollins clcollins requested a review from Copilot April 4, 2026 20:59
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@clcollins
Copy link
Copy Markdown
Owner Author

clcollins commented Apr 4, 2026

@clcollins PR #140 has been fully qualified.

Qualification Summary:

  • Loops: 2 iteration(s) of Phases 1–4
  • New commits: 1 commit added during qualification
  • Merge: No conflicts
  • CI: All 2 checks passing (Lint Code, Run Unit Tests)
  • Copilot: 2 comments addressed in 1 round (GHSA notation fix), clean on re-review
  • CodeRabbit: N/A (not enabled)
  • Codecov: N/A (not enabled)

Intent validation: The PR still fulfills its original intent — upgrading github.com/go-viper/mapstructure/v2 from v2.2.1 to v2.5.0 to resolve the medium-severity information disclosure vulnerability. The only change during qualification was a documentation wording fix. No behavioral changes.

This PR is ready to merge.

Qualified by Claude on behalf of @clcollins

@clcollins clcollins merged commit 51881bb into main Apr 4, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clcollins