Skip to content

Update module github.com/slack-go/slack to v0.23.1 [SECURITY]#306

Merged
christian-stephen merged 1 commit into
mainfrom
renovate/go-github.com-slack-go-slack-vulnerability
May 20, 2026
Merged

Update module github.com/slack-go/slack to v0.23.1 [SECURITY]#306
christian-stephen merged 1 commit into
mainfrom
renovate/go-github.com-slack-go-slack-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 18, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/slack-go/slack v0.22.0v0.23.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

slack-go/slack (github.com/slack-go/slack)

v0.23.1

Compare Source

[!IMPORTANT]
Even though this is a [security] patch release, if you were using an empty secret, this is a breaking change due to a change in behaviour. That's on purpose, to ensure you fix your approach so that there are no footguns.

Fixed
  • NewSecretsVerifier now rejects empty signing secrets to avoid accepting forged request
    signatures when applications are misconfigured.

Full Changelog: slack-go/slack@v0.23.0...v0.23.1

v0.23.0

Compare Source

Added

New Contributors

Full Changelog: slack-go/slack@v0.22.0...v0.23.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner May 18, 2026 15:08
@renovate renovate Bot force-pushed the renovate/go-github.com-slack-go-slack-vulnerability branch from 94a767c to 8f880c5 Compare May 19, 2026 20:13
@renovate renovate Bot force-pushed the renovate/go-github.com-slack-go-slack-vulnerability branch from 8f880c5 to 206619d Compare May 20, 2026 10:03
@christian-stephen christian-stephen merged commit 73619bf into main May 20, 2026
10 checks passed
@christian-stephen christian-stephen deleted the renovate/go-github.com-slack-go-slack-vulnerability branch May 20, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christian-stephen christian-stephen christian-stephen approved these changes

Assignees

No one assigned

Labels

CVE security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christian-stephen