lerkolabs/uptop
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat: migrate charmbracelet/wish v1 → v2 (CVE-2026-35385) #42

New Issue
Open
opened 2026-05-30 00:08:48 +00:00 by lerko · 0 comments
lerko commented 2026-05-30 00:08:48 +00:00
Owner
Copy Link
Copy Source

Problem

Docker Scout reports CVE-2026-35385 (CVSS 9.6 Critical) in charmbracelet/wish v1.4.7. v1.4.7 is the latest v1.x release — no patch available in v1.

Required Migration

wish v2 (charm.land/wish/v2) requires:

  • charm.land/bubbletea/v2 (currently on github.com/charmbracelet/bubbletea v1.3.10)
  • charm.land/lipgloss/v2 (currently on lipgloss v1)
  • New vanity import paths (charm.land/... instead of github.com/charmbracelet/...)

This is a full TUI migration — all bubbletea Model/Cmd/Msg patterns, lipgloss styles, and SSH middleware need updating.

Scope

  • cmd/uptop/main.go — SSH server setup (wish + bubbletea middleware)
  • internal/tui/ — all TUI models and views (bubbletea v1 → v2)
  • All charmbracelet imports across the codebase

API Compatibility Notes

wish v2 server API (NewServer, WithAddress, WithHostKeyPath, WithPublicKeyAuth, WithMiddleware) is unchanged. The breaking change is the bubbletea v2 dependency — bm.Middleware now expects bubbletea v2 types.

## Problem Docker Scout reports CVE-2026-35385 (CVSS 9.6 Critical) in `charmbracelet/wish` v1.4.7. v1.4.7 is the latest v1.x release — no patch available in v1. ## Required Migration wish v2 (`charm.land/wish/v2`) requires: - `charm.land/bubbletea/v2` (currently on `github.com/charmbracelet/bubbletea` v1.3.10) - `charm.land/lipgloss/v2` (currently on lipgloss v1) - New vanity import paths (`charm.land/...` instead of `github.com/charmbracelet/...`) This is a full TUI migration — all bubbletea Model/Cmd/Msg patterns, lipgloss styles, and SSH middleware need updating. ## Scope - `cmd/uptop/main.go` — SSH server setup (wish + bubbletea middleware) - `internal/tui/` — all TUI models and views (bubbletea v1 → v2) - All charmbracelet imports across the codebase ## API Compatibility Notes wish v2 server API (`NewServer`, `WithAddress`, `WithHostKeyPath`, `WithPublicKeyAuth`, `WithMiddleware`) is unchanged. The breaking change is the bubbletea v2 dependency — `bm.Middleware` now expects bubbletea v2 types.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lerko (Tyler Koenig)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lerkolabs/uptop#42
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?