GHSA-h829-5cg7-6hff: gitverify has improper tag signature verification

April 24, 2026

gitverify is still a prototype.

References

github.com/advisories/GHSA-h829-5cg7-6hff
github.com/supply-chain-tools/gitverify
github.com/supply-chain-tools/gitverify/commit/c2c60da05d5c73621d0ce7ea02770bacd79ec8b1
github.com/supply-chain-tools/gitverify/security/advisories/GHSA-h829-5cg7-6hff

Code Behaviors & Features

Detect and mitigate GHSA-h829-5cg7-6hff with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →