lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity

fix(release): grype GHSA alias suppression + full launch notes #127

Merged
lerko merged 1 commits from fix/grype-gate-and-launch-notes into main 2026-06-12 21:08:50 +00:00
Conversation 0 Commits 1 Files Changed 2
+12 -3
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.grype.yaml
+8 -3
View File
@@ -1,6 +1,11 @@
ignore: ignore:
# CVE-2026-41589: SCP path traversal in charmbracelet/wish. # SCP path traversal in charmbracelet/wish — same flaw, two ids: grype has
# matched it as CVE-2026-41589 and as GHSA-xjvp-7243-rg9h depending on db
# version, and ignore matching is exact-id, so both stay listed.
# We only import wish/bubbletea for the SSH TUI server — the vulnerable # We only import wish/bubbletea for the SSH TUI server — the vulnerable
# scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in. # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in
# No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1. # (govulncheck reachability agrees). No fix for wish v1; v2
# (charm.land/wish/v2 >= 2.0.1) requires the bubbletea-v2 stack migration,
# tracked in issue #126. Remove both entries when that lands.
- vulnerability: CVE-2026-41589 - vulnerability: CVE-2026-41589
- vulnerability: GHSA-xjvp-7243-rg9h
cliff.toml
+4
View File
@@ -24,6 +24,10 @@ split_commits = false
protect_breaking_commits = false protect_breaking_commits = false
filter_commits = false filter_commits = false
tag_pattern = "v[0-9].*" tag_pattern = "v[0-9].*"
# rc tags are pipeline rehearsals, not releases — without this, the final
# tag's notes would only cover commits since the last rc (near-empty for
# v0.1.0). Ignored tags fold their commits into the next real release.
ignore_tags = "v.*-rc.*"
topo_order = false topo_order = false
sort_commits = "oldest" sort_commits = "oldest"