You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore(deps): update module github.com/cyphar/filepath-securejoin to v0.4.0 (#6157)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/cyphar/filepath-securejoin](https://redirect.github.com/cyphar/filepath-securejoin)
| `v0.3.6` -> `v0.4.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
<details>
<summary>cyphar/filepath-securejoin
(github.com/cyphar/filepath-securejoin)</summary>
###
[`v0.4.0`](https://redirect.github.com/cyphar/filepath-securejoin/releases/tag/v0.4.0)
[Compare
Source](https://redirect.github.com/cyphar/filepath-securejoin/compare/v0.3.6...v0.4.0)
This release primarily includes a few minor breaking changes to make the
MkdirAll and SecureJoin interfaces more robust against accidental
misuse.
- `SecureJoin(VFS)` will now return an error if the provided `root` is
not a
`filepath.Clean`'d path.
While it is ultimately the responsibility of the caller to ensure the
root is
a safe path to use, passing a path like `/symlink/..` as a root would
result
in the `SecureJoin`'d path being placed in `/` even though `/symlink/..`
might be a different directory, and so we should more strongly
discourage
such usage.
All major users of `securejoin.SecureJoin` already ensure that the paths
they
provide are safe (and this is ultimately a question of user error), but
removing this foot-gun is probably a good idea. Of course, this is
necessarily a breaking API change (though we expect no real users to be
affected by it).
Thanks to [Erik Sjölund](https://redirect.github.com/eriksjolund), who
initially
reported this issue as a possible security issue.
- `MkdirAll` and `MkdirHandle` now take an `os.FileMode`-style mode
argument
instead of a raw `unix.S_*`-style mode argument, which may cause
compile-time
type errors depending on how you use `filepath-securejoin`. For most
users,
there will be no change in behaviour aside from the type change (as the
bottom `0o777` bits are the same in both formats, and most users are
probably
only using those bits).
However, if you were using `unix.S_ISVTX` to set the sticky bit with
`MkdirAll(Handle)` you will need to switch to `os.ModeSticky` otherwise
you
will get a runtime error with this update. In addition, the error
message you
will get from passing `unix.S_ISUID` and `unix.S_ISGID` will be
different as
they are treated as invalid bits now (note that previously passing said
bits
was also an error).
Thanks to the following contributors for helping make this release
possible:
- Aleksa Sarai <[email protected]>
- Erik Sjölund <[email protected]>
Signed-off-by: Aleksa Sarai <[email protected]>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-telemetry/opentelemetry-go).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS45Mi4wIiwidXBkYXRlZEluVmVyIjoiMzkuOTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiU2tpcCBDaGFuZ2Vsb2ciLCJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
0 commit comments