fix(nexus): upgrade jsonparser to v1.1.2 to fix DoS vulnerability

[plural-copilot]

Summary

• Upgrades github.com/buger/jsonparser from v1.1.1 to v1.1.2
• Fixes a Denial of Service vulnerability where the Delete function fails to properly validate offsets when processing malformed JSON input, leading to a negative slice index and runtime panic
• Affected docker image: ghcr.io/pluralsh/nexus:0.12.9

Changes

• Updated go/nexus/go.mod to use jsonparser v1.1.2
• Updated go/nexus/go.sum with new dependency checksums

Verification

• ✅ Code compiles successfully
• ✅ All tests pass (config, console, middleware, server)

[plural-copilot]

This PR was generated by the claude (engine: claude) agent runtime. Here's some useful information you might want to know to evaluate
the ai's perfomance:

Name	Details
💬 Prompt	Security scanners have found the following vulnerability in our cluster:...
🔗 Run history	View run history

[greptile-apps]

Greptile Summary

This PR upgrades the indirect dependency github.com/buger/jsonparser from v1.1.1 to v1.1.2 in the go/nexus module, patching the denial-of-service vulnerability tracked as CVE-2020-10675 / GO-2021-0057 (out-of-bounds panic / infinite loop when parsing malformed JSON input).

• go/nexus/go.mod: version constraint updated from v1.1.1 → v1.1.2
• go/nexus/go.sum: module digest updated to the v1.1.2 hash (h1:frqHqw7otoVbk5M8LlE/L7HTnIq2v9RX6EJ48i9AxJk=); the go.mod-only hash is unchanged between the two patch versions, which is expected when the upstream go.mod was not modified
• v1.1.2 is the latest official release (March 19, 2026) and is already packaged by Debian, confirming its legitimacy
• The change is minimal and scoped entirely to this one indirect dependency — no other packages are affected

Confidence Score: 5/5

This PR is safe to merge — it is a targeted, minimal security patch with no logic changes.

The change touches only two dependency-management files (go.mod and go.sum), upgrades a single indirect library by one patch version, and the new checksums match the official upstream release. No application logic is modified, and no other dependencies are affected.

No files require special attention.

Important Files Changed

Filename	Overview
go/nexus/go.mod	Bumps github.com/buger/jsonparser indirect dependency from v1.1.1 to v1.1.2 to address the DoS vulnerability (CVE-2020-10675 / GO-2021-0057)
go/nexus/go.sum	Updates the module hash for buger/jsonparser to the v1.1.2 digest; the go.mod-only hash is unchanged (expected for a patch release that doesn't alter go.mod)

_{Reviews (1): Last reviewed commit: "fix(nexus): upgrade github.com/buger/jso..." | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​go-chi/​chi/​v5@​v5.2.4
	github.com/​maximhq/​bifrost/​core@​v1.4.7

View full report