lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity

fix(release): grype GHSA alias suppression + full launch notes #127

Merged
lerko merged 1 commits from fix/grype-gate-and-launch-notes into main 2026-06-12 21:08:50 +00:00
Conversation 0 Commits 1 Files Changed 2
+12 -3
lerko commented 2026-06-12 21:02:56 +00:00
Owner
Copy Link
Copy Source

Two items from the rc.2 rehearsal (binaries run was fully green — notes, prerelease flag, GitHub mirror all correct):

  1. Docker scan gate tripped on an already-triaged finding. The pre-existing .grype.yaml suppressed the wish SCP path traversal by CVE id (CVE-2026-41589); grype's db now surfaces the same flaw as GHSA-xjvp-7243-rg9h, and ignore matching is exact-id. Both ids now listed. The SCP middleware is never compiled into uptop (govulncheck reachability agrees); the real fix — charm.land/wish/v2 — requires the whole bubbletea-v2 stack migration, tracked in #126.
  2. Launch notes: git-cliff --current renders since-last-tag, so v0.1.0 would get only commits-since-rc.2. ignore_tags = "v.*-rc.*" folds rc rehearsal tags into the next real release — verified locally: rc tags render the full pending section, v0.1.0 will cover complete history.

After merge: v0.1.0-rc.3 — Docker Hub push remains the only unexercised pipeline path.

Two items from the rc.2 rehearsal (binaries run was fully green — notes, prerelease flag, GitHub mirror all correct): 1. **Docker scan gate tripped on an already-triaged finding.** The pre-existing `.grype.yaml` suppressed the wish SCP path traversal by CVE id (CVE-2026-41589); grype's db now surfaces the same flaw as GHSA-xjvp-7243-rg9h, and ignore matching is exact-id. Both ids now listed. The SCP middleware is never compiled into uptop (govulncheck reachability agrees); the real fix — charm.land/wish/v2 — requires the whole bubbletea-v2 stack migration, tracked in #126. 2. **Launch notes**: `git-cliff --current` renders since-last-tag, so v0.1.0 would get only commits-since-rc.2. `ignore_tags = "v.*-rc.*"` folds rc rehearsal tags into the next real release — verified locally: rc tags render the full pending section, v0.1.0 will cover complete history. After merge: `v0.1.0-rc.3` — Docker Hub push remains the only unexercised pipeline path.
lerko added 1 commit 2026-06-12 21:02:56 +00:00
fix(release): suppress wish GHSA alias in grype, fold rc tags into launch notes
CI / test (pull_request) Successful in 1m44s
Details
CI / lint (pull_request) Successful in 1m11s
Details
CI / vulncheck (pull_request) Successful in 51s
Details
Release Binaries / release (push) Successful in 2m9s
Details
Release Docker / docker (push) Successful in 10m18s
Details
37bf443e29 
The existing .grype.yaml ignore listed the wish SCP traversal only by CVE
id; grype's db now matches it as GHSA-xjvp-7243-rg9h and ignores are
exact-id, so the rc.2 scan gate tripped on an already-triaged finding.
List both ids. Vulnerable SCP middleware is never compiled in; real fix
is the charm v2 stack migration (#126).

cliff.toml ignore_tags folds rc tags into the next real release so
v0.1.0's notes cover full history instead of commits-since-rc.2.
lerko merged commit 37bf443e29 into main 2026-06-12 21:08:50 +00:00
lerko deleted branch fix/grype-gate-and-launch-notes 2026-06-12 21:08:50 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 distribution
Packaging, publishing, branding
 feature
New functionality
 polish
UX/visual refinement
 refactor
Code quality, no behavior change
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lerko (Tyler Koenig)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lerkolabs/uptop#127
Delete Branch "fix/grype-gate-and-launch-notes"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?