[GHSA-gxhx-2686-5h9g] Add upstream fix commit reference

[massif-01]

Summary

Adds the upstream fix commit reference for GHSA-gxhx-2686-5h9g.

Evidence

The advisory currently references the upstream security advisory, package repository, and v0.23.1 release. The v0.23.1 release notes state that NewSecretsVerifier now rejects empty signing secrets, and the tagged Go module metadata maps v0.23.1 to commit 34ad5c052e446f58505ae8d81a2a72821de107cc.

The added commit has message: security: reject empty signing secret for NewSecretsVerifier.

Validation

• jq empty advisories/github-reviewed/2026/05/GHSA-gxhx-2686-5h9g/GHSA-gxhx-2686-5h9g.json
• git diff --check

[Copilot]

Pull request overview

Adds the upstream fix commit URL as an additional reference to advisory GHSA-gxhx-2686-5h9g.

Changes:

• Append a new WEB reference pointing to the upstream fix commit 34ad5c052e446f58505ae8d81a2a72821de107cc in the slack-go/slack repository.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[advisory-database]

Hi @massif-01! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!