Skip to content

fix: patch Snyk vulnerabilities and upgrade dependencies#96

Merged
josue merged 6 commits intomainfrom
chore/upgrade-deps-and-fix-snyk
Apr 14, 2026
Merged

fix: patch Snyk vulnerabilities and upgrade dependencies#96
josue merged 6 commits intomainfrom
chore/upgrade-deps-and-fix-snyk

Conversation

@josue
Copy link
Copy Markdown
Collaborator

@josue josue commented Apr 13, 2026
edited
Loading

Summary

  • Fix .snyk license ignore format: All four HashiCorp MPL-2.0 license ignores used slashes (github.com/hashicorp/...) in the Snyk ID but Snyk matches against colon-separated IDs (github.com:hashicorp:...), causing ignores to silently fail.
  • Fix .snyk OTel exporter IDs for CVE-2026-39882: Both entries had a typo (IOTEL instead of IOOTEL) and the trace entry had the wrong ID number (1595419515954196), causing these High-severity ignores to silently fail.
  • Upgrade Go 1.26.1 → 1.26.2: Fixes SNYK-GOLANG-STDARCHIVETAR-15928858 — Allocation of Resources Without Limits (CVSS 6.9) in std/archive/tar.
  • Bump google.golang.org/genproto: Updates indirect dep to latest snapshot (20260401 → 20260413) in both modules.

Commits

Commit Description
01cb4df Fix .snyk license ignore IDs (slashes → colons)
fc06cf6 Upgrade Go 1.26.1 → 1.26.2 (fixes stdlib archive/tar vuln)
4baad82 Bump genproto indirect dependency
a70998a Fix OTel exporter Snyk IDs for CVE-2026-39882 (typo + wrong ID number)

Verification

  • snyk test --org=flume passes with 0 vulnerabilities for both go.mod and _examples/go.mod
  • go test ./ and cd _examples && go test ./. both pass

Notes

  • go mod tidy dropped go-jose/v4 and golang.org/x/crypto pins from root go.mod since they are not direct dependencies — existing .snyk safety-net ignores cover these.

🤖 Generated with Claude Code

josue and others added 3 commits April 13, 2026 18:46
@josue @claude
fix: correct .snyk license ignore IDs to use colon-separated format
01cb4df 
The Snyk policy file used slashes in license vuln IDs (e.g.
github.com/hashicorp/hcl/v2) but Snyk matches against colon-separated
IDs (github.com:hashicorp:hcl:v2). This caused all four HashiCorp
MPL-2.0 license ignores to silently fail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@josue @claude
fix: upgrade Go 1.26.1 to 1.26.2 to fix stdlib archive/tar vulnerability
fc06cf6 
Fixes SNYK-GOLANG-STDARCHIVETAR-15928858 (CVE Allocation of Resources
Without Limits, CWE-770, CVSS 6.9). The vulnerability in std/archive/tar
is resolved in Go 1.26.2.

go mod tidy dropped go-jose/v4 and golang.org/x/crypto pins as they are
not direct dependencies of the root module — existing .snyk safety-net
ignores cover these.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@josue @claude
chore: bump google.golang.org/genproto indirect dependency
4baad82 
Updates genproto/googleapis/rpc from 20260401 to 20260413 snapshot
in both root and _examples modules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 13, 2026 23:09
@josue josue requested a review from caseyh as a code owner April 13, 2026 23:09
@flume-bot
Copy link
Copy Markdown

flume-bot commented Apr 13, 2026
edited
Loading

⚠️ Snyk checks are incomplete.

Status Scan Engine Critical High Medium Low Total (0)
⚠️ Open Source Security 0 0 0 0 See details
⚠️ Licenses 0 0 0 0 See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates security tooling and Go dependencies to address reported Snyk issues and keep the module graph current.

Changes:

  • Fix .snyk HashiCorp MPL-2.0 license ignore IDs to use colon-separated coordinates.
  • Upgrade the workspace/modules to Go 1.26.2.
  • Bump google.golang.org/genproto/googleapis/rpc snapshot (root + _examples) and refresh sums (including dropping unused indirect sums).

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
go.work Bumps workspace Go version to 1.26.2.
go.mod Bumps Go version, updates indirect genproto snapshot, and removes no-longer-required indirect pins.
go.sum Reflects tidy/module graph changes (drops unused sums; updates genproto sums).
_examples/go.mod Bumps Go version and indirect genproto snapshot in example module.
_examples/go.sum Updates genproto sums for example module.
.snyk Fixes license ignore IDs for HashiCorp transitive dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
Comment thread go.mod
josue and others added 2 commits April 13, 2026 19:14
@josue @claude
fix: correct OTel exporter Snyk IDs for CVE-2026-39882
a70998a 
The two CVE-2026-39882 ignore entries had typos that caused them to
silently fail:
- Missing 'O' in package path: IOTEL → IOOTEL (go.opentelemetry.io/otel
  produces IO + OTEL = IOOTEL)
- Wrong ID number on trace entry: 15954195 → 15954196

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@josue @claude
fix: update .snyk ignore reasons for go-jose and x/crypto
d4a0ad8 
The go.mod pins for go-jose/v4 and golang.org/x/crypto were dropped by
go mod tidy during the Go 1.26.2 upgrade. Update the ignore reason text
to accurately reflect these are transitive ghost deps not listed in
go.mod, rather than claiming they are "fixed via go.mod pin".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 13, 2026 23:17
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates dependency/tooling metadata to address reported Snyk findings by correcting .snyk ignore identifiers and upgrading the Go toolchain/dependency set so that security and license ignores apply as intended.

Changes:

  • Bump Go version declarations from 1.26.1 to 1.26.2 across the workspace/modules.
  • Update indirect dependency google.golang.org/genproto/googleapis/rpc to a newer snapshot (and refresh go.sum files).
  • Fix .snyk ignore IDs (HashiCorp MPL-2.0 license IDs and OpenTelemetry exporter vulnerability IDs) so Snyk matching doesn’t silently fail.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
go.work Updates workspace Go version to 1.26.2.
go.mod Updates Go version, removes now-unneeded indirect pins, bumps genproto snapshot.
go.sum Reflects go mod tidy results and the genproto snapshot bump.
_examples/go.mod Updates example module Go version and aligns genproto snapshot.
_examples/go.sum Updates sums for the genproto snapshot bump.
.snyk Corrects ignore identifiers for license/vulnerability entries so ignores match properly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@josue josue merged commit b7bdeb5 into main Apr 14, 2026
6 of 8 checks passed
@josue josue deleted the chore/upgrade-deps-and-fix-snyk branch April 14, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@corvramirez corvramirez corvramirez approved these changes

@caseyh caseyh Awaiting requested review from caseyh caseyh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@josue @flume-bot @corvramirez