[GHSA-gxhx-2686-5h9g] Add upstream fix commit reference#7707
Conversation
There was a problem hiding this comment.
Pull request overview
Adds the upstream fix commit URL as an additional reference to advisory GHSA-gxhx-2686-5h9g.
Changes:
- Append a new WEB reference pointing to the upstream fix commit
34ad5c052e446f58505ae8d81a2a72821de107ccin the slack-go/slack repository.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
2cec0d5
into
github:massif-01/advisory-improvement-7707
|
Hi @massif-01! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Summary
Adds the upstream fix commit reference for GHSA-gxhx-2686-5h9g.
Evidence
The advisory currently references the upstream security advisory, package repository, and v0.23.1 release. The v0.23.1 release notes state that NewSecretsVerifier now rejects empty signing secrets, and the tagged Go module metadata maps v0.23.1 to commit 34ad5c052e446f58505ae8d81a2a72821de107cc.
The added commit has message: security: reject empty signing secret for NewSecretsVerifier.
Validation