From e9eb9987cf4f1eb04ba3eeb2f2107751f8992f6f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Feb 2026 18:19:25 +0000 Subject: [PATCH 1/2] Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 Bumps [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519) from 1.1.0 to 1.1.1. - [Commits](https://github.com/FiloSottile/edwards25519/compare/v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4382bf6..493639d 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( ) require ( - filippo.io/edwards25519 v1.1.0 // indirect + filippo.io/edwards25519 v1.1.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v3 v3.0.4 // indirect diff --git a/go.sum b/go.sum index a5bc311..a0c4c46 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= -filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= +filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM= From d1e359861c30d3e9333449fb3bbc87d30d504e7e Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 23 Feb 2026 13:21:13 +0100 Subject: [PATCH 2/2] Add `gosec` (`nosec`) exclusions --- token/parse.go | 3 ++- ui/ui.go | 5 +++-- usage/renderer.go | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/token/parse.go b/token/parse.go index ae4aabf..2dfd8e5 100644 --- a/token/parse.go +++ b/token/parse.go @@ -7,6 +7,7 @@ import ( "time" "github.com/pkg/errors" + "go.step.sm/crypto/jose" ) @@ -52,7 +53,7 @@ type Payload struct { Version interface{} `json:"ver"` XMSMirID string `json:"xms_mirid"` K8sSANamespace string `json:"kubernetes.io/serviceaccount/namespace,omitempty"` - K8sSASecretName string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` + K8sSASecretName string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` // #nosec G117 -- property used for JSON (un)marshaling K8sSAServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"` K8sSAServiceAccountUID string `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"` Google *GCPGooglePayload `json:"google"` // GCP token claims diff --git a/ui/ui.go b/ui/ui.go index 0480eb5..a3c5cd6 100644 --- a/ui/ui.go +++ b/ui/ui.go @@ -10,6 +10,7 @@ import ( "github.com/chzyer/readline" "github.com/manifoldco/promptui" "github.com/pkg/errors" + "go.step.sm/crypto/randutil" ) @@ -305,7 +306,7 @@ func preparePromptTerminal() (func(), error) { tty.Close() } - fd := int(tty.Fd()) + fd := int(tty.Fd()) // #nosec G115 -- uintptr comes from file descriptor state, err := readline.MakeRaw(fd) if err != nil { defer clean() @@ -335,7 +336,7 @@ func prepareSelectTerminal() (func(), error) { tty.Close() } - fd := int(tty.Fd()) + fd := int(tty.Fd()) // #nosec G115 -- uintptr comes from file descriptor state, err := readline.MakeRaw(fd) if err != nil { defer clean() diff --git a/usage/renderer.go b/usage/renderer.go index f904d3a..f2b767f 100644 --- a/usage/renderer.go +++ b/usage/renderer.go @@ -90,7 +90,7 @@ func (r *Renderer) write(b []byte) { } func (r *Renderer) printf(s string, a ...interface{}) { - fmt.Fprintf(r.out.w, s, a...) + fmt.Fprintf(r.out.w, s, a...) // #nosec G705 -- renders internal help content } func (r *Renderer) capture(mode RenderMode) {