fix(deps): update github.com/semaphoreui/semaphore digest to 7163825

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/semaphoreui/semaphore	require	digest	7283631 → 7163825

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cursor]

Stale comment

Security Review: No findings

This PR updates the github.com/semaphoreui/semaphore pseudo-version digest in pro/go.mod. The change is strictly a version string bump (72836311c5b9 → 12fe7217d269) with no new dependencies introduced or removed.

Notably, pro/go.mod contains a replace directive (replace github.com/semaphoreui/semaphore => ../) that overrides this version at build time, so the pseudo-version string is effectively cosmetic and does not change which code is resolved.

No security issues identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No findings

This PR updates the github.com/semaphoreui/semaphore pseudo-version digest in pro/go.mod from 72836311c5b9 to 70d9cb6a441a. No new dependencies are introduced or removed.

The replace directive (replace github.com/semaphoreui/semaphore => ../) overrides this version at build time, so the pseudo-version string does not change which code is actually resolved.

No security issues identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No findings

This PR updates the github.com/semaphoreui/semaphore pseudo-version digest in pro/go.mod from 72836311c5b9 to 74fdbe9a2f14. No new dependencies are introduced or removed.

The replace directive (replace github.com/semaphoreui/semaphore => ../) overrides this version at build time, so the pseudo-version string does not change which code is actually resolved.

No security issues identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No findings

This PR updates the github.com/semaphoreui/semaphore dependency digest in pro/go.mod from 72836311c5b9 to 73aa05802d31. This is a first-party (same-repo) dependency pin bump generated by Renovate.

Key observations:

• The change touches only the pseudo-version string in pro/go.mod (one line).
• A replace directive on line 56 (replace github.com/semaphoreui/semaphore => ../) means the declared version is overridden by the local source tree at build time, so this pin change has no effect on compiled artifacts.
• No new third-party dependencies are introduced.
• No code, configuration, or secret changes are present.

No injection, auth/authz, SSRF, XSS, supply-chain, or other security risks identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[cursor]

Stale comment

Security Review — Dependency Update

This PR updates three dependencies in pro/go.mod:

Dependency	Old	New	Assessment
github.com/semaphoreui/semaphore	72836311c5b9	376e2eab5b0c	OK — internal digest bump
github.com/go-git/go-git/v5	v5.17.1 → v5.17.2	v5.17.2	OK — fixes a v5.17.1 regression that blocked the CVE-2026-33762 security patch
golang.org/x/net	v0.49.0 → v0.50.0	v0.50.0	Vulnerable — see finding below

Finding: golang.org/x/net v0.50.0 introduces CVE-2026-27141

Severity: Medium (CVSS 5.3–6.9)

golang.org/x/net v0.50.0 contains CVE-2026-27141 / GO-2026-4559, a Denial-of-Service vulnerability in the http2 package. A missing nil check allows an attacker to crash a server by sending specially crafted HTTP/2 frames (types 0x0a–0x0f).

• The previous version (v0.49.0) is not affected — this CVE was introduced in v0.50.0.
• The fix is available in v0.51.0+.
• The latest available version is v0.53.0.

Recommendation: bump golang.org/x/net to at least v0.51.0 to avoid introducing this known vulnerability.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Severity: Medium | CVE-2026-27141 (GO-2026-4559) — Known DoS vulnerability introduced

golang.org/x/net v0.50.0 contains a medium-severity Denial-of-Service vulnerability in http2. A missing nil check allows an attacker to crash an HTTP/2 server by sending frames with type values 0x0a–0x0f.

The previous version (v0.49.0) is not affected — this vulnerability was introduced in exactly the version this PR targets. The fix is in v0.51.0+.

Recommendation: Update to golang.org/x/net v0.51.0 or later (current latest: v0.53.0) to avoid regressing the security posture.

Ref: https://pkg.go.dev/vuln/GO-2026-4559

[cursor]

Stale comment

Security Review Summary

1 medium-severity finding identified.

Overview

This PR updates the pro module's pinned github.com/semaphoreui/semaphore digest, which transitively bumps two dependencies:

• go-git/go-git v5.17.1 → v5.17.2 — This is a positive security change. v5.17.2 retains the patches for CVE-2026-33762 (index panic, Low) and CVE-2026-34165 (.idx DoS, Medium) while fixing a regression in v5.17.1 that blocked adoption.

• golang.org/x/net v0.49.0 → v0.50.0 — This introduces a known vulnerability (see inline comment).

Findings

#	Severity	Finding	File
1	Medium	CVE-2026-27141 — Updating to golang.org/x/net v0.50.0 introduces an HTTP/2 server panic vulnerability (DoS). v0.49.0 was not affected; the bug was introduced in v0.50.0 and patched in v0.51.0.	pro/go.mod

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Severity: Medium — CVE-2026-27141 (CVSS 5.3–6.9)

golang.org/x/net v0.50.0 is the only version affected by GO-2026-4559 / CVE-2026-27141. A missing nil check in the HTTP/2 frame handler allows an unauthenticated remote attacker to send crafted frames (type 0x0a–0x0f) that panic the server, causing denial of service.

Impact: Semaphore's HTTP server uses Go's net/http, which enables HTTP/2 by default over TLS via golang.org/x/net/http2. Any internet-facing Semaphore instance running with TLS is exploitable.

Key detail: The previous version (v0.49.0) was not affected — this vulnerability was introduced in v0.50.0 and fixed in v0.51.0. This PR therefore moves from a safe version to a vulnerable one.

Recommendation: Bump golang.org/x/net to at least v0.51.0 (current latest is v0.53.0).

[cursor]

Stale comment

Security Review Summary

1 finding: Medium severity vulnerability introduced

This dependency digest update pulls in golang.org/x/net v0.50.0 as a transitive dependency, which is affected by CVE-2026-27141 (GO-2026-4559). The previous version (v0.49.0) was not affected.

Finding	Severity	CVE	Status
HTTP/2 server panic via crafted frames	Medium (CVSS 5.3–6.9)	CVE-2026-27141	Introduced by this PR

The vulnerability is fixed in golang.org/x/net v0.51.0+. The upstream semaphoreui/semaphore module should bump its golang.org/x/net dependency to >= v0.51.0 so that consumers like this pro module pick up the fix transitively.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

[Medium] Known vulnerability introduced: CVE-2026-27141 (GO-2026-4559)

This PR updates golang.org/x/net from v0.49.0 (not vulnerable) to v0.50.0, which is affected by CVE-2026-27141.

Issue: Due to a missing nil check, sending HTTP/2 frames with type values 0x0a–0x0f will cause any server using golang.org/x/net/http2 to panic, resulting in a denial-of-service.

Affected range: golang.org/x/net >= v0.50.0, < v0.51.0
Fix available: v0.51.0+

Attack path: An unauthenticated remote attacker sends specially crafted HTTP/2 frames to any endpoint served by the Go HTTP/2 stack, causing the server process to crash.

Recommendation: The upstream github.com/semaphoreui/semaphore module should bump its golang.org/x/net dependency to >= v0.51.0 so this transitive dependency resolves to a patched version.

[cursor]

[Info] This checksum pins golang.org/x/net v0.50.0, which is the exact version range affected by CVE-2026-27141. Once the upstream module updates to v0.51.0+, this entry should be replaced.

[cursor]

Stale comment

Security Review: No findings

This PR updates dependency digests in pro/go.mod and pro/go.sum:

• github.com/semaphoreui/semaphore → newer commit digest
• github.com/go-git/go-git/v5 v5.17.1 → v5.17.2 (patch)
• golang.org/x/net v0.49.0 → v0.50.0 (minor)

No new dependencies are introduced, no application code is changed, and all updates are minor/patch bumps. This is a low-risk, security-positive change that picks up the latest upstream patches.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review — Dependency Update

1 finding (Medium severity)

This PR updates the github.com/semaphoreui/semaphore dependency digest, which transitively bumps two indirect dependencies:

• go-git/go-git/v5: v5.17.1 → v5.17.2 — Positive change. Includes security fixes for CVE-2026-33762 and CVE-2026-34165, plus a regression fix that was blocking upgrades.
• golang.org/x/net: v0.49.0 → v0.50.0 — Introduces CVE-2026-27141 (see inline comment).

Summary

Finding	Severity	CVE
golang.org/x/net v0.50.0 is vulnerable to HTTP/2 server panic (DoS)	Medium	CVE-2026-27141 / GO-2026-4559

The golang.org/x/net version should be bumped further to v0.51.0 to avoid shipping with a known vulnerability.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Severity: Medium — CVE-2026-27141 (GO-2026-4559)

This update moves golang.org/x/net from v0.49.0 (not affected) into the vulnerable range v0.50.0 (affected by CVE-2026-27141, fixed in v0.51.0).

Vulnerability: A missing nil check in golang.org/x/net/http2 allows a remote attacker to crash any HTTP/2 server by sending malformed frames with type values 0x0a–0x0f. This is a remotely exploitable denial-of-service (DoS) with no authentication required.

Impact: If Semaphore (or any component using this dependency) serves HTTP/2 traffic, an unauthenticated attacker can induce a server panic and crash the process.

Recommendation: Bump golang.org/x/net to v0.51.0 or later, which contains the fix. This would require updating the upstream github.com/semaphoreui/semaphore module to also use golang.org/x/net >= v0.51.0.

References:

• https://pkg.go.dev/vuln/GO-2026-4559
• https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-15363313

[cursor]

Stale comment

Security Review: No Vulnerabilities Introduced

This PR is a Renovate bot digest update for pro/go.mod and pro/go.sum, updating:

• github.com/semaphoreui/semaphore to the latest commit digest
• github.com/go-git/go-git/v5 from v5.17.1 to v5.17.2 — positive change: v5.17.2 fixes a regression in v5.17.1 that blocked users from applying patches for CVE-2026-33762 and CVE-2026-34165
• golang.org/x/net from v0.49.0 to v0.50.0

No high-confidence vulnerabilities are introduced by this PR.

Advisory note

golang.org/x/net v0.50.0 is affected by CVE-2026-27141 (medium severity — HTTP/2 server panic via specially crafted frames, fixed in v0.51.0). However, this is a pre-existing condition: the root go.mod already pins golang.org/x/net at v0.50.0, so Go's Minimum Version Selection already resolved to v0.50.0 in the effective build before this PR. The pro/go.mod change merely aligns the declared indirect dependency with the already-resolved version. A follow-up bump to v0.51.0+ across the entire project would address CVE-2026-27141.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review

1 finding (Medium severity)

This dependency digest update introduces a known vulnerability via golang.org/x/net. The go-git bump is a positive security change.

Dependency	Old	New	Assessment
go-git/go-git/v5	v5.17.1	v5.17.2	Good - fixes regression blocking CVE-2026-33762/CVE-2026-34165 remediation
golang.org/x/net	v0.49.0	v0.50.0	Vulnerable - v0.50.0 is affected by CVE-2026-27141 (fixed in v0.51.0)

See inline comment for details.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Severity: Medium | CVE-2026-27141 (GO-2026-4559) | HTTP/2 Server Panic

golang.org/x/net v0.50.0 is the only minor version affected by CVE-2026-27141: a missing nil check allows an attacker to crash any HTTP/2 server by sending frames with type values 0x0a–0x0f. The previous v0.49.0 was not affected.

The fix is in v0.51.0. This transitive dependency is pulled in by go-git/go-git/v5 v5.17.2 — the upstream go-git project already merged the bump to v0.51.0 in go-git/go-git#1928, but that fix landed after the v5.17.2 tag.

Impact: Any component in semaphore/pro that serves HTTP/2 traffic (directly or via a reverse proxy) becomes vulnerable to a remote, unauthenticated denial-of-service.

Recommendation: Override the transitive dependency to golang.org/x/net v0.51.0 (or newer) in pro/go.mod by adding an explicit require or replace directive, or wait for a go-git release that already includes the bump.

[cursor]

Security Review: No findings

This PR updates the github.com/semaphoreui/semaphore pseudo-version digest in pro/go.mod (one line change: 72836311c5b9 → 7f892d73f9e1). Key observations:

• The replace github.com/semaphoreui/semaphore => ../ directive (line 56) overrides this version at build time, so the pseudo-version string is cosmetic and does not change which code is resolved.
• No transitive dependency versions are changed in this diff — go.sum is not modified.
• No new dependencies are introduced or removed.
• No application code, configuration, or secret changes are present.

No injection, auth/authz, SSRF, XSS, supply-chain, or other security risks identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}