Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6#4793
Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6#4793dependabot[bot] wants to merge 5 commits intomainfrom
Conversation
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4793 +/- ##
==========================================
- Coverage 69.01% 68.97% -0.04%
==========================================
Files 517 518 +1
Lines 54829 54980 +151
==========================================
+ Hits 37838 37921 +83
- Misses 14074 14130 +56
- Partials 2917 2929 +12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — standard Dependabot security bump touching only go.mod/go.sum.
Extended reasoning...
Overview
This PR bumps github.com/sigstore/timestamp-authority/v2 from v2.0.3 to v2.0.6 in go.mod and go.sum. The only files changed are the dependency manifest and lockfile. Several transitive dependencies (go-openapi, sigstore libraries, tink-crypto, etc.) also received minor version bumps as part of the dependency graph update.
Security risks
The upgrade itself is a security improvement: v2.0.6 fixes GHSA-xm5m-wgh2-rrg3 (incorrect certificate used for TSA auth checks). No new attack surface is introduced. The one bug flagged by the automated scanner is a stale govulncheck suppression comment in .github/workflows/security-scan.yml — a file not modified by this PR — which is a documentation nit with no functional impact on the dependency update itself.
Level of scrutiny
Low. This is a mechanical Dependabot patch that only touches go.mod and go.sum, follows the project's established dependency management pattern, and carries a high Dependabot compatibility score. No application logic is altered.
Other factors
The stale suppression comment (GO-2025-4192) is already captured as an inline nit and can be addressed in a follow-up; it does not affect the correctness of this bump. No outstanding reviewer comments exist on this PR.
| github.com/sigstore/sigstore v1.10.5 // indirect | ||
| github.com/sigstore/sigstore-go v1.1.4 // indirect | ||
| github.com/sigstore/timestamp-authority/v2 v2.0.3 // indirect | ||
| github.com/sigstore/timestamp-authority/v2 v2.0.6 // indirect | ||
| github.com/sirupsen/logrus v1.9.4 // indirect | ||
| github.com/skeema/knownhosts v1.3.1 // indirect |
There was a problem hiding this comment.
🟡 The govulncheck suppression for GO-2025-4192 in .github/workflows/security-scan.yml has a stale justification comment claiming 'Fix requires sigstore-go to upgrade to timestamp-authority/v2 which hasn't been released yet,' but this PR upgrades timestamp-authority/v2 to v2.0.6, making the comment factually incorrect. The suppression entry (and ideally the comment) should be removed or updated to reflect the current state, and govulncheck should be run to verify whether the vulnerability is still triggered post-upgrade.
Extended reasoning...
What the bug is: The file .github/workflows/security-scan.yml line 81 contains IGNORED_VULNS="GO-2025-4192 GO-2026-4514 GO-2026-4883 GO-2026-4887", suppressing the govulncheck report for GO-2025-4192 (CVE-2025-66564: excessive memory allocation in sigstore/timestamp-authority). Lines 60-65 of the same file contain a justification comment explaining the suppression: 'Fix requires sigstore-go to upgrade to timestamp-authority/v2 which hasn't been released yet.' This comment is now demonstrably stale.
The specific code path: This PR bumps github.com/sigstore/timestamp-authority/v2 from v2.0.3 to v2.0.6 in go.mod (line 247). The go.mod and go.sum diffs confirm that the old v1 module dependency has been fully removed (e.g., github.com/oklog/ulid v1.3.1 and go.mongodb.org/mongo-driver v1.17.6 are gone, replaced by github.com/oklog/ulid/v2 v2.1.1), and go.sum now only contains github.com/sigstore/timestamp-authority/v2 v2.0.6. The transition to v2 that the suppression comment was waiting for has clearly already happened.
Why existing code doesn't prevent it: The IGNORED_VULNS list in security-scan.yml is a manual allowlist. There is no automated mechanism to detect when a suppression becomes stale—developers must track these manually. Dependabot-generated PRs like this one do not touch the security-scan.yml workflow, so the stale suppression was naturally left behind.
Concrete proof: (1) The suppression comment says 'hasn't been released yet,' but the project was already on timestamp-authority/v2 v2.0.3 before this PR. (2) This PR upgrades it further to v2.0.6. (3) The vulnerability GO-2025-4192 is in timestamp-authority v1 (excessive memory allocation in server-side request parsing). Since the project is now fully on v2, the original rationale is resolved. (4) The 'hasn't been released yet' claim was already inaccurate at commit a388093 when the suppression was added, and is even more clearly wrong after this PR.
Impact: The stale comment ('which hasn't been released yet') actively misleads developers into believing the upstream fix is still pending. Additionally, if GO-2025-4192 is truly fixed by the v2 upgrade, keeping the suppression means govulncheck will not alert if this vulnerability is somehow re-introduced. The practical security risk is mitigated by the fact that ToolHive only uses timestamp-authority as a client (via sigstore-go) and does not expose the vulnerable server endpoints—so the suppression may still be technically valid even if the comment is wrong.
How to fix: Remove GO-2025-4192 from the IGNORED_VULNS list in .github/workflows/security-scan.yml line 81, and delete the associated justification comment at lines 60-65. Run govulncheck locally after the upgrade to confirm whether GO-2025-4192 is still triggered. If it is still flagged (due to a reachable code path), add a fresh, accurate comment explaining the current rationale for the suppression.
github-actions
bot
added
size/S
Bumps [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) from 2.0.3 to 2.0.6. - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.3...v2.0.6) --- updated-dependencies: - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
The timestamp-authority/v2 bump to v2.0.6 resolves CVE-2025-66564 (excessive memory allocation). Verified locally with govulncheck that the vulnerability is no longer flagged. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jhrozek
force-pushed
the
dependabot/go_modules/github.com/sigstore/timestamp-authority/v2-2.0.6
branch
from
1b6c6ea to
46395e9
Compare
github-actions
bot
added
size/S
|
@ChrisJBurns @rdimitrov I had to resolve a conflict could I get another tick please? |
|
@jhrozek There's another one 😢 |
|
@claude Fix the merge conflicts in this PR |
|
Claude finished @ChrisJBurns's task in 8m 31s —— View job Merge conflicts resolved
Root cause: After this PR was branched, main gained Resolution (commit |
Main gained go.starlark.net as a direct dependency after this PR was branched. Include it alongside the oklog/ulid/v2 require block added by the dependabot timestamp-authority bump. Co-authored-by: Chris Burns <ChrisJBurns@users.noreply.github.com>
|
@copilot resolve the merge conflicts in this pull request |
…/github.com/sigstore/timestamp-authority/v2-2.0.6 # Conflicts: # go.mod # go.sum Co-authored-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Merged the latest
|
…mestamp-authority/v2-2.0.6
github-actions
bot
added
size/S
Bumps github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6.
Release notes
Sourced from github.com/sigstore/timestamp-authority/v2's releases.
Changelog
Sourced from github.com/sigstore/timestamp-authority/v2's changelog.
Commits
9583b61Ensure correct certificate is used for TSA auth checks (GHSA-xm5m-wgh2-rrg3) ...7aab8b4chore(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 (#1322)48c7b2cchore(deps): bump codecov/codecov-action from 5.5.3 to 6.0.0 (#1327)49ca4e4chore(deps): bump the gomod group with 2 updates (#1326)5812ba0chore(deps): bump go.step.sm/crypto from 0.76.2 to 0.77.2 (#1328)6a334a8chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#1329)d799204chore(deps): bump actions/upload-artifact in the actions group (#1332)b9ce102chore(deps): bump golang from 1.26.0 to 1.26.2 in the docker group (#1331)54bc0c1chore(deps): bump the gomod group across 1 directory with 6 updates (#1324)ffb897achore(deps): bump the actions group across 1 directory with 4 updates (#1325)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.