mirror of
https://github.com/truecharts/charts.git
synced 2026-07-15 18:51:23 -03:00
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [filippo.io/age](https://redirect.github.com/FiloSottile/age) | require | patch | `v1.2.0` -> `v1.2.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [GHSA-32gq-x56h-299c](https://redirect.github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c) A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the [`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity), [`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData), or [`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient) APIs. On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*` needs to exist for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed by the [rage](https://redirect.github.com/str4d/rage) project, see advisory [GHSA-4fg7-vxc8-qx5w](https://redirect.github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w). Thanks to ⬡-49016 for reporting this. --- ### Release Notes <details> <summary>FiloSottile/age (filippo.io/age)</summary> ### [`v1.2.1`](https://redirect.github.com/FiloSottile/age/releases/tag/v1.2.1): age v1.2.1: security fix [Compare Source](https://redirect.github.com/FiloSottile/age/compare/v1.2.0...v1.2.1) This release fixes a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. See GHSA-32gq-x56h-299c. Plugin names may now only contain alphanumeric characters or the four special characters `+-._`. Thanks to ⬡-49016 for reporting this issue. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44Mi45IiwidXBkYXRlZEluVmVyIjoiMzkuODIuOSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->
About The Project
CLA: Before contributing
Our CLA applies to this repository as well.
Please ensure it's signed before submitting a PR: https://cla-assistant.io/truecharts/charts
We use the truecharts/charts link, as CLA assistant does not allow for creating a custom link to a private repository. However, they all sign the same CLA that applies project-wide
License
This tool is released as "All Rights reserved" and hence it's code should NOT be shared. This includes binaries that are modified to remove TrueCharts specific code, unless approved by Kjeld Schouten "The Owner". Those that are invited to have access to repository, are free to edit and use this code for testing purposes, as long as its sourcecode is not shared or saved in-the-cloud.