pkg/cli: querySecurityAdvisories HTTP call missing context.Context parameter

[github-actions]

Problem

querySecurityAdvisories in pkg/cli/deps_security.go makes an outbound HTTP request to the GitHub Security Advisory API but has no context.Context parameter, meaning it cannot be cancelled, timed out by the caller, or participate in context propagation chains.

Evidence

// pkg/cli/deps_security.go:133-148
func querySecurityAdvisories(depVersions map[string]string, verbose bool) ([]SecurityAdvisory, error) {
    url := "https://api.github.com/advisories?ecosystem=go&per_page=100"
    client := &http.Client{Timeout: 30 * time.Second}
    req, err := http.NewRequest(http.MethodGet, url, nil)  // ← no context
    // ...
    resp, err := client.Do(req)

The function uses http.NewRequest instead of http.NewRequestWithContext, so the 30s client-level timeout is the only cancellation mechanism. If the caller receives a context cancellation (e.g., user presses Ctrl+C), this request cannot be interrupted.

Impact

• Severity: Medium
• Affected files: pkg/cli/deps_security.go
• Risk: Security advisory checks cannot be cancelled mid-flight. In interactive CLI sessions, Ctrl+C will not abort an in-flight API request, degrading UX and potentially causing hangs on slow/unreliable networks.

Recommendation

// Before
func querySecurityAdvisories(depVersions map[string]string, verbose bool) ([]SecurityAdvisory, error) {
    req, err := http.NewRequest(http.MethodGet, url, nil)
    ...
}

// After
func querySecurityAdvisories(ctx context.Context, depVersions map[string]string, verbose bool) ([]SecurityAdvisory, error) {
    req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
    ...
}

Propagate the context from the calling function and update callers accordingly.

Validation

• Add context.Context as first parameter to querySecurityAdvisories
• Replace http.NewRequest with http.NewRequestWithContext
• Update all callers to pass appropriate context
• Run existing tests to verify no regressions

Estimated Effort: Small

---

Generated by Sergo — The Serena Go Expert | Run §25417004230

Generated by Sergo - Serena Go Expert · ● 439.7K · ◷

• expires on May 13, 2026, 4:56 AM UTC

[github-actions]

🍪 Issue Monster selected this for Copilot

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 58K · ◷