Update Go and npm dependencies to remediate security vulnerabilities#1033
Merged
Update Go and npm dependencies to remediate security vulnerabilities#1033
Conversation
Add //nolint:gosec comments for three intentional G118 patterns flagged by golangci-lint v2.11.4: - cmd_hooks.go: cancelFn stored in tasksCancelFn for deferred cleanup - api.go: context.Background() intentional on shutdown path after ctx is Done - db_client_execute.go: extend existing govet nolint to also cover gosec Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exclude G118 globally in .golangci.yml rather than using per-line nolint comments, which triggered nolintlint unused-directive errors on older golangci-lint versions (v2.10.x vs v2.11.4 in CI). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three G118 issues were triggered by golangci-lint v2.11.4 (via version: latest in CI): 1. api.go: Replace context.Background() with context.WithoutCancel(ctx) on the shutdown path. After <-ctx.Done() the parent ctx is cancelled, so we need a fresh context for the srv.Shutdown timeout. context.WithoutCancel inherits context values without the cancellation — the semantically correct fix. 2. cmd_hooks.go: Add //nolint:gosec — cancelFn IS stored in the package-level tasksCancelFn and called when tasks complete. G118 is a false positive here. 3. db_client_execute.go: Extend existing //nolint:govet to also cover gosec — same intentional pattern, already documented: pgx prematurely cancels the PG connection if the cancel fn is called in defer. Additionally: - Pin golangci-lint CI version to v2.11.4 (was: latest) to prevent future unexpected failures from new linter rules on every CI run. - Add nolintlint exclusion rules in .golangci.yml for the two per-line gosec nolints so they don't appear as unused directives on older local versions that pre-date G118. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pskrbasu
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update Go and npm dependencies to fix multiple Dependabot security alerts (closes #1032).
Go — Remediated
1.26.0→1.26.1— Security vulnerability in Go 1.26.0v1.75.0→v1.79.3— Authorization bypass via missing leading slash in:path(Support new pipes token location #184)v1.37.0→v1.40.0— Arbitrary code execution via PATH hijacking (support PIPES_INSTALL_DIR #175)pipe-fittingstov2.9.0which uses pgx v5 (Avoid NRE during init if target is nil #183, Clean up ./powerpipe/config/workspaces.ppc.sample to remove Steampipe references #185)npm (
ui/dashboard) — Remediated7.5.8→7.5.10— Hardlink path traversal (Fix logging to remove steampipe refs #182)6.0.2→7.0.3— RCE via RegExp.flags / Date.toISOString (shouldpowerpipe benchmark run allwork? #176)1.2.1→1.3.0— Arbitrary code injection via unsafe eval (Fix issue where powerpipe dashboard <dashboardresource> show fails with invalid resource type. Closes #157 #158)Outstanding — No Fix Available
6.6.1) — Risky crypto implementation (Finalise default powerpipe workspace sample content(workspaces.ppc.sample) #140). No patched version exists yet; resolution pinned at current version.