GMS-2019-51: Moderate severity vulnerability that affects renovate

October 21, 2019 (updated August 11, 2022)

Go Modules Vulnerability Disclosure

Impact

Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios.

Patches

The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later.

Workarounds

Disable Go Modules support.

References

Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure

For more information

If you have any questions or comments about this advisory:

Open an issue in Renovate
Email us at support@renovatebot.com

References

github.com/advisories/GHSA-v7x3-7hw7-pcjg
github.com/renovatebot/renovate/security/advisories/GHSA-v7x3-7hw7-pcjg
snyk.io/vuln/SNYK-JS-RENOVATE-536203

Code Behaviors & Features

Detect and mitigate GMS-2019-51 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →