Skip to content

Go Modules Vulnerability Disclosure

Moderate
rarkins published GHSA-v7x3-7hw7-pcjg Oct 18, 2019 · 1 comment

Package

npm renovate (npm)

Affected versions

>= 13.87.0 <= 19.38.6

Patched versions

19.38.7

Description

Impact

Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios.

Patches

The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later.

Workarounds

Disable Go Modules support.

References

Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs