🤖 Generated by the Daily AI Assistant
Problem
Dependabot flags 2 open HIGH alerts (#163 root go.mod, #164 desktop/go.mod) for GHSA-fxhp-mv3v-67qp (CVSS 7.1, published 2026-07-01): oras.land/oras-go/v2 <= 2.6.1 tar extraction — a hardlink entry with a relative Linkname can escape the extraction dir via process-CWD resolution (content/file/utils.go ensureLinkPath validates the resolved path but returns the unresolved one).
No patched release exists yet (first_patched_version: null), so Dependabot cannot open a bump PR.
Exposure
oras-go/v2 v2.6.1 is indirect, pulled by several direct deps: helm.sh/helm/v3@3.20.2, helm.sh/helm/v4@4.2.2, kubescape/v3@3.0.48, loft-sh/vcluster@0.34.5, open-policy-agent/opa@1.14.1, derailed/k9s@0.51.0, rancher/k3k@1.1.0. Likely reachable surface: OCI chart/artifact pulls that extract tars via oras's content/file store (helm OCI, kubescape artifact downloads). Needs a govulncheck reachability pass once the OSV entry lands to confirm whether ksail's call graph actually reaches ensureLinkPath.
Proposed direction
- Watch for the patched
oras-go/v2 release; when it ships, bump the transitive pin in root + desktop go.mod (go get oras.land/oras-go/v2@<fixed> + tidy both modules) without waiting for the parents to re-pin.
- Meanwhile run
govulncheck ./... reachability; if unreachable, note it here and deprioritise; if reachable, consider whether any ksail path extracts untrusted OCI artifacts (mitigation: none obvious short of vendoring the fix).
- Close when both Dependabot alerts auto-resolve after the bump.
Rough size
Small (a pinned bump + tidy in two modules) once the patch exists; the reachability pass is ~an hour.
Problem
Dependabot flags 2 open HIGH alerts (#163 root
go.mod, #164desktop/go.mod) for GHSA-fxhp-mv3v-67qp (CVSS 7.1, published 2026-07-01):oras.land/oras-go/v2 <= 2.6.1tar extraction — a hardlink entry with a relativeLinknamecan escape the extraction dir via process-CWD resolution (content/file/utils.go ensureLinkPathvalidates the resolved path but returns the unresolved one).No patched release exists yet (
first_patched_version: null), so Dependabot cannot open a bump PR.Exposure
oras-go/v2 v2.6.1is indirect, pulled by several direct deps:helm.sh/helm/v3@3.20.2,helm.sh/helm/v4@4.2.2,kubescape/v3@3.0.48,loft-sh/vcluster@0.34.5,open-policy-agent/opa@1.14.1,derailed/k9s@0.51.0,rancher/k3k@1.1.0. Likely reachable surface: OCI chart/artifact pulls that extract tars via oras'scontent/filestore (helm OCI, kubescape artifact downloads). Needs agovulncheckreachability pass once the OSV entry lands to confirm whether ksail's call graph actually reachesensureLinkPath.Proposed direction
oras-go/v2release; when it ships, bump the transitive pin in root +desktopgo.mod (go get oras.land/oras-go/v2@<fixed>+ tidy both modules) without waiting for the parents to re-pin.govulncheck ./...reachability; if unreachable, note it here and deprioritise; if reachable, consider whether any ksail path extracts untrusted OCI artifacts (mitigation: none obvious short of vendoring the fix).Rough size
Small (a pinned bump + tidy in two modules) once the patch exists; the reachability pass is ~an hour.