Migrate charm stack to v2 (wish v2 fixes GHSA-xjvp-7243-rg9h SCP path traversal) #126

New Issue

2026-06-12T20:57:03Z

lerko commented

2026-06-12 20:57:03 +00:00

grype flags github.com/charmbracelet/wish v1.4.7 with GHSA-xjvp-7243-rg9h (SCP middleware path traversal, CVSS 9.6 Critical). uptop does not use the SCP middleware — only wish core + bubbletea middleware — so the vulnerable path is unreachable (govulncheck agrees). Suppressed in .grype.yaml to unblock releases.

The real fix requires charm.land/wish/v2 (>= 2.0.1), which depends on charm.land/bubbletea/v2 — meaning the full TUI stack migrates together: bubbletea, bubbles, huh, lipgloss. Plan as its own arc post-v0.1.0:

charm.land/wish/v2 + charm.land/bubbletea/v2
bubbles/huh/lipgloss v2 counterparts
Remove the .grype.yaml ignore entry when done

grype flags github.com/charmbracelet/wish v1.4.7 with GHSA-xjvp-7243-rg9h (SCP middleware path traversal, CVSS 9.6 Critical). uptop does not use the SCP middleware — only wish core + bubbletea middleware — so the vulnerable path is unreachable (govulncheck agrees). Suppressed in .grype.yaml to unblock releases. The real fix requires charm.land/wish/v2 (>= 2.0.1), which depends on charm.land/bubbletea/v2 — meaning the full TUI stack migrates together: bubbletea, bubbles, huh, lipgloss. Plan as its own arc post-v0.1.0: - charm.land/wish/v2 + charm.land/bubbletea/v2 - bubbles/huh/lipgloss v2 counterparts - Remove the .grype.yaml ignore entry when done

lerko referenced this issue

2026-06-12 21:02:56 +00:00

fix(release): grype GHSA alias suppression + full launch notes #127

lerko referenced this issue from a commit

2026-06-12 21:02:57 +00:00

fix(release): suppress wish GHSA alias in grype, fold rc tags into launch notes

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#126