fix(deps): exclude goldmark v1.4.13 to clear CVE-2026-5160#94
Merged
Conversation
The direct requirement was already at v1.8.2, but SonarQube's SCA kept flagging v1.4.13 because that version remained in the module graph as a transitive edge via golang.org/x/tools (which the build does not need). Go's MVS never selected v1.4.13 and go.sum carried only its /go.mod hash, so it was never compiled — but the graph edge was enough to fail the quality gate. Add an exclude directive for the vulnerable version and run `go mod tidy`. Since no package imports goldmark, tidy prunes it entirely from go.mod and go.sum, so the CVE can no longer be reported. No code imports goldmark, so there is no breaking change; go build, go vet, and go mod verify all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Code Review ✅ ApprovedExcludes the vulnerable goldmark v1.4.13 version via a go.mod directive, resulting in its complete removal from the dependency graph. No issues found. OptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Clears the SonarQube quality-gate failure for CVE-2026-5160 (XSS / CWE-79, CVSS 5.1) in
github.com/yuin/goldmark.The direct requirement was already upgraded to
v1.8.2, and Go's minimal version selection (MVS) was already buildingv1.8.2— never the vulnerablev1.4.13. But SonarQube's SCA scans the full module graph, wherev1.4.13still appeared as a transitive edge viagolang.org/x/tools(a module the build doesn't actually need). That graph edge alone kept the finding open.Fix
exclude github.com/yuin/goldmark v1.4.13directive (matching the project's existingreplace-directive convention) and rango mod tidy.go mod tidypruned it entirely fromgo.modandgo.sum. The package is no longer a dependency, so the CVE can no longer be reported.Breaking-change assessment: none
No project code imports goldmark — verified via
grepandgo mod why. There is no API surface to break.Verification
go build ./...→ OKgo vet ./...→ cleango mod verify→ all modules verifiedgo.sumno longer contains any goldmark entries🤖 Generated with Claude Code