#5941 chore(deps): update redis:7.4-alpine docker digest to ee64a64 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | 3b73847 -> ee64a64 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5942 chore(deps): update step-security/harden-runner digest to 95d9a5d in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | digest | f4a75cf -> 95d9a5d | [[OpenSSF Scorecard](https://camo.githubusercontent.com/79b73feee658f578ed164ed10d5294cc2e58c70ec1db9ee00d03c41311bccebc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f737465702d73656375726974792f68617264656e2d72756e6e65722f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5943 chore(deps): update go to v1.25.4 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.3 -> 1.25.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | golang | stage | patch | 1.25.3-alpine -> 1.25.4-alpine | | --- ### Release Notes golang/go (go) ### `v1.25.4` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5921 fix: Separate user and email for bitbucket Pull request opened by lukemassa on <!date^1761880177^{date_short}|2025-10-31T03:09:37Z> ## what Separates out

email

from

user

for bitbucket. ## why My understanding of #5696 is that there has to be a separate "username" from "email" address in the new bitbucket authentication scheme, so I added a flag to tease that out:

atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi'                            
Error: --bitbucket-email must be specified alongside --bitbucket-user
exit status 1
atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi' --bitbucket-email=foo@bar
{"level":"info","ts":"2025-10-30T23:06:24.009-0400","caller":"server/server.go:345","msg":"Supported VCS Hosts: BitbucketCloud","json":{}}

DISCLAIMER: I've never used bitbucket before, and am just going off the description of a problem in #5696 to try to help out. ## tests TODO: add tests Also need to update documentation ## references closes: #5696 runatlantis/atlantis

#5945 chore(deps): update dependency hashicorp/terraform to v1.13.5 in testdrive/utils.go (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ---------------------------------------------------------------------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | patch | 1.13.4 -> 1.13.5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/73fb079834f95fc441f42b004291acd78181a0da3cd6cfe7a912d424cbb46a81/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6861736869636f72702f7465727261666f726d2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/hashicorp/terraform) | --- ### Release Notes hashicorp/terraform (hashicorp/terraform) ### `v1.13.5` Compare Source ##### 1.13.5 (November 5, 2025) BUG FIXES: • impure functions could cause templatefile to incorrectly fail consistency checks (#​37807) • Allow filesystem functions to return inconsistent results when evaluated within provider configuration (#​37854) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5946 docs: Consolidate release documentation Pull request opened by lukemassa ## what Move release documentation out of CONTRIBUTING.md and RELEASE_CADENCE.md into a single RELEASE.md file. ## why Release information isn't relevant to contributing, and was cluttering up that document. Instead of creating another file, I thought it made sense to reuse RELEASE_CADENCE.md (which is a bit specific for a top-level file) to create RELEASE.md. ## tests N/A ## references Come up during discussion in #5890 runatlantis/atlantis

#5951 chore(deps): update ghcr.io/runatlantis/atlantis:latest docker digest to 26043ad in dockerfile.dev (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ---------------------------- | ----- | ------ | ------------------ | | ghcr.io/runatlantis/atlantis | final | digest | c1e648a -> 26043ad | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5953 chore(deps): update github/codeql-action digest to f94c9be in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 5d5cd55 -> f94c9be | [[OpenSSF Scorecard](https://camo.githubusercontent.com/7297a8020f03fec30e06910592fd5839c6c112499f8c35234823a18eee5374c0/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5954 feat: implement --ignore-vcs-status-names for GitLab Pull request opened by jklong ## what Implement the

--ignore-vcs-status-names

flag for the GitLab provider. Similar to #4978, this consults an ignore list when for commit status names when determining mergeability. If a commit status name can be parsed as

{vcsstatusname}/...

and that parsed

vcsstatusname

is present in the configured ignore list then it is skipped. ## why Similar reasoning as expressed in #2848 for the existing GitHub-only feature - when multiple atlantis servers with different

vcs-status-names

operate on a single repo with a

mergeable

requirement they see pending pipeline statuses set by the other atlantis instances and report that the MR is not mergeable. ## tests • I have tested my changes by adding unit test coverage.

go test ./server/events/vcs

passes, however an existing, unrelated, test failure at main/HEAD causes

make test

to fail. ## references #2848 #4978 runatlantis/atlantis

#5955 fix: Assume divergence until established otherwise Pull request opened by aggrand ## what This modifies the divergence checking behavior to assume divergence unless proven otherwise. On any errors it will say that there is a divergence. ## why The documentation on the merge checkout strategy describe the issue where a failure to use the updated main branch can delete resources that are configured on the main branch. Depending on the resource in question, this could be an unforseeable change that could have disastrous consequences. The existing behavior seemed to assume safety unless proven unsafe. It would be incredibly bad for a series of poorly-timed transient network failures on fetches to result in an apply that destroys resources. Our usage prioritizes safety and we would prefer that the plan/apply bail if it cannot establish safety. I realize that this is an opinionated change, but I suspect that most people who go out of their way to enable the merge strategy and undiverged requirement are expecting to make their processes as safe as possible. I was surprised by the behavior. If preferred, I could also lock this behavior behind an option. I'm not sure to what extent this would be a breaking change. ## tests ## references runatlantis/atlantis

#5956 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/d3ef03ec944f66413122c73379998b68f0b36842af6f834a784a5e89c565a670/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5958 chore(deps): update ngrok/ngrok:latest docker digest to 168300d in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ----------- | ------ | ------------------ | | ngrok/ngrok | digest | 50234a7 -> 168300d | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5959 build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 Pull request opened by dependabot[bot] Bumps js-yaml from 4.1.0 to 4.1.1. Changelog Sourced from js-yaml's changelog.

## [4.1.1] - 2025-11-12

### Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits • `cc482e7` 4.1.1 released • `50968b8` dist rebuild • `d092d86` lint fix • `383665f` fix prototype pollution in merge (<<) • `0d3ca7a` README.md: HTTP => HTTPS (#678) • `49baadd` doc: 'empty' style option for !!null • `ba3460e` Fix demo link (#618) • See full diff in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/a6652d69213ed732db1d83bf133f0c8e6c472c25719efc164c44882409ccb891/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6a732d79616d6c267061636b6167652d6d616e616765723d6e706d5f616e645f7961726e2670726576696f75732d76657273696f6e3d342e312e30266e65772d76657273696f6e3d342e312e31) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5960 chore: Improve working dir lock error output Pull request opened by lukemassa ## what Improve the output when hitting a working dir lock. ## why I changed the output command #5935, and messed up the punctuation so there was no space between

"

and the next word. Additionally the wording was a bit confusing and long, this cleans it up a bit. ## tests Before: [Screenshot 2025-11-15 at 1 07 45 PM](https://private-user-images.githubusercontent.com/2678195/514791745-df7b7c14-c9d1-48c1-bf19-26c9b36ca2ff.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjMyMzA2OTAsIm5iZiI6MTc2MzIzMDM5MCwicGF0aCI6Ii8yNjc4MTk1LzUxNDc5MTc0NS1kZjdiN2MxNC1jOWQxLTQ4YzEtYmYxOS0yNmM5YjM2Y2EyZmYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTVUMTgxMzEwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Mzk3NjJlNTgzYWU0Zjc0ZGQ2YTljNzMzNGI5YWNhYWM1N2QzYWY5YmUxYzM4YTZjY2JlNzNhMmM3YTg1OTJkMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.EJWkZMOFxcVShIUgAPUyNPUbLGdxFM9DJ3QaPJfQRzQ) After: [Screenshot 2025-11-15 at 1 05 56 PM](https://private-user-images.githubusercontent.com/2678195/514791793-2c8c0607-874f-475f-8614-59b764c4dc60.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjMyMzA2OTAsIm5iZiI6MTc2MzIzMDM5MCwicGF0aCI6Ii8yNjc4MTk1LzUxNDc5MTc5My0yYzhjMDYwNy04NzRmLTQ3NWYtODYxNC01OWI3NjRjNGRjNjAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTVUMTgxMzEwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Y2RlYWNmOWZhZWUzNWE1YTdiYTljYjNkYTdhM2Y0MDM0MDM2NDI0ZTQxM2E4MWJkMjEzMjU3MTM3ZTk1NWVkYyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.QXn4h28m9twNkrlSlIB33lNVnu_EDkEXLwPJ8fCkiu8) ## references Follow up to #5935 runatlantis/atlantis

#5961 chore(deps): update actions/dependency-review-action action to v4.8.2 in .github/workflows/dependency-review.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------ | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | patch | v4.8.1 -> v4.8.2 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/f08e2cc90ead44c61edd13db37577e03914f599b13f02c6706b1f2fdbffe792e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f616374696f6e732f646570656e64656e63792d7265766965772d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action) | --- ### Release Notes actions/dependency-review-action (actions/dependency-review-action) ### `v4.8.2` Compare Source Minor fixes: • Fix PURL parsing for scoped packages (#​1008 from @​danielhardej) • Fix for large summaries (#​1007 from @​gitulisca) • README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5963 chore: Remove invalid policy owner tests from command_runner_test Pull request opened by lukemassa ## what Remove two tests from command_runner_test that check to make sure policy approver is the policy set owner. ## why This logic (and associated tests) was moved to the project command runner: #3086, command_runner no longer has a notion of owner of a policy config. The reason these tests have continued to pass is somewhat subtle. For

TestApprovedPoliciesUpdateFailedPolicyStatus

, the issue was that it was checking to make sure the policy passed, which, after the logic was moved, it always would, regardless of what user was specified.

atlantis % git diff                                                                 
diff --git a/server/events/command_runner_test.go b/server/events/command_runner_test.go
index 84da1ffc..fabfe84d 100644
--- a/server/events/command_runner_test.go
+++ b/server/events/command_runner_test.go
@@ -1148,7 +1148,7 @@ func TestApprovedPoliciesUpdateFailedPolicyStatus(t *testing.T) {
                        CommandName: command.ApprovePolicies,
                        PolicySets: valid.PolicySets{
                                Owners: valid.PolicyOwners{
-                                       Users: []string{testdata.User.Username},
+                                       Users: []string{"some different name that shouldn't work"},
                                },
                        },
                },
atlantis % go test ./server/events -run TestApprovedPoliciesUpdateFailedPolicyStatus
ok  	<http://github.com/runatlantis/atlantis/server/events|github.com/runatlantis/atlantis/server/events>	0.412s

So the question is, why was

TestFailedApprovalCreatesFailedStatusUpdate

passing? It was checking to make sure that the command failed, so it should have failed immediately once the policy check was removed. The issue is that this test had a bug: it never specified a return value for ApprovePolicies, so got the "default" value of a ProjectResult. Part of the determination of whether pullStatus is "success" is the command name, and since ProjectResult contains command name, it got the "default" command name, which is Apply. This is why I noticed it, because I am trying to remove command name from ProjectResult to prevent exactly this kind of bug (#5962). ``` atlantis % git diff diff --git a/server/events/command_runner_test.go b/server/events/command_runner_test.go index 84da1ffc..f7dc2c74 100644 --- a/server/events/command_runner_test.go +++ b/server/events/command_runner_test.go @@ -1104,6 +1104,14 @@ func TestFailedApprovalCreatesFailedStatusUpdate(t *testing.T) { }, nil) When(workingDir.GetPullDir(testdata.GithubRepo, testdata.Pull)).ThenReturn(tmp, nil) + When(projectCommandRunner.ApprovePolicies(Any[command.ProjectContext]())).Then(func(_ []Param) ReturnValues { + return ReturnValues{ + command.ProjectResult{ + Command: command.PolicyCheck, + PolicyCheckResults: &models.PolicyCheckResults{}, + }, + } + }) ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, &testdata.Pull, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.ApprovePolicies}) commitUpdater.VerifyWasCalledOnce().UpdateCombinedCount( atlantis % go test ./server/events -run TestFailedApprovalCreatesFailedStatusUpdate --- FAIL: TestFailedApprovalCreatesFailedStatusUpdate (0.04s) command_runner_test.go1072 if "atlantis approve_policies" is run by non policy owner policy check status fails. logger.go146 2025-11-16T005645.134-0500 DEBUG updating DB with pull results {"repo": "runatlantis/atlantis", "pull": "1"} logger.go146 2025-11-16T005645.142-0500 DEBUG timer {"name": "atlantis_comment_approve_policies_execution_time", "value": "8.708583ms", "tags": {}, "type": "timer"} testing_t_support.go41 /Users/lmassa/go/pkg/mod/github.com/petergtz/pegomock/v4@v4.2.0/testing_t_support.go:40 +0x48 github.com/petergtz/pegomock/v4.(*GenericMock).Verify(0x1400007e198, 0x0, {0x101d6d7e0, 0x1400001ebd0}, {0x101858735, 0x13}, {0x14000294cb0, 0x7, 0x7}, {0x140005c3048?, ...}) /Users/lmassa/go/pkg/mod/github.com/petergtz/pegomock/v4@v4.2.0/dsl.go:153 +0x520 github.com/runatlantis/atlantis/server/events/mocks.(*VerifierMockCommitStatusUpdater).UpdateCombinedCount(0x140005c3880, {_, }, {{, }, {, }, {, }, {, ...}, ...}, ...) /Users/lmassa/atlantis/server/events/mocks/mock_commit_status_updater.go:182 +0x23c github.com/runatlantis/atlantis/server/events_test.TestFailedApprovalCreatesFailedStatusUpdate(0x14000092e00) /Users/lmassa/atlantis/server/events/command_runner_test.go:1117 +0x12e8 testing.tRunner(0x14000092e00, 0x101d5c220) /Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.darwin-arm64/src/testing/testing.go:1934 +0xc8 created by testing.(*T).Run in goroutine 1 /Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.darwin-arm64/src/testing/testing.go:1997 +0x364 Mock invocation count for UpdateCombinedCount(Any(logging.SimpleLogging), Any(models.Repo), Any(models.PullRequest), Eq(1), Eq(3), Eq(0), Eq(2)) does not match expectation. Expected: 1; but got: 0 Actual interactions with this mock were: UpdateCombined(&logging.StructuredLogger{z:(*zap.SugaredLogger)(0x14000014078), levelzap.AtomicLevel{l(*atomic.Int32)(0x140000ab040)}, keepHistory:true, historybytes.Buffer{buf[]uint8{0x5b, 0x44, 0x42, 0x55, 0x47, 0x5d, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x44, 0x42, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x70, 0x75, 0x6c, 0x6c, 0x20, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0xa}, off:0, lastRead:0}}, models.Repo{FullName:"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}, models.PullRequest{Num:1, HeadCommit:"", URL:"", HeadBranch:"", BaseBranch:"", Author:"", State:0, BaseRepomodels.Repo{FullName"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}}, 0, 3) UpdateCombinedCount(&logging.StructuredLogger{z:(*zap.SugaredLogger)(0x14000014078), levelzap.AtomicLevel{l(*atomic.Int32)(0x140000ab040)}, keepHistory:true, historybytes.Buffer{buf[]uint8{0x5b, 0x44, 0x42, 0x55, 0x47, 0x5d, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x44, 0x42, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x70, 0x75, 0x6c, 0x6c, 0x20, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0xa}, off:0, lastRead:0}}, models.Repo{FullName:"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}, models.PullRequest{Num:1, HeadCommit:"", URL:"", HeadBranch:"", BaseBranch:"", Author:"", State:0, BaseRepomodels.Repo{FullName"runatlantis/atlantis", Owner:"runatlan… runatlantis/atlantis

#5965 chore(deps): update dependency opentofu/opentofu to v1.10.7 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------ | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [opentofu/opentofu](https://redirect.github.com/opentofu/opentofu) | patch | 1.10.6 -> 1.10.7 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/ce717ba2c81ac0c4d405947613d026de7d49e9f59f60457ed964da33f31eb3b4/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e746f66752f6f70656e746f66752f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/opentofu/opentofu) | --- ### Release Notes opentofu/opentofu (opentofu/opentofu) ### `v1.10.7` Compare Source SECURITY ADVISORIES: This release contains fixes for some security advisories related to previous releases in this series. •

tofu init

in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a direct or indirect dependency on a maliciously-crafted module package distributed as a "tar" archive. This would require the attacker to coerce a root module author to depend (directly or indirectly) on a module package they control, using the HTTP, Amazon S3, or Google Cloud Storage source types to refer to a tar archive. This release incorporates the upstream fixes for CVE-2025-58183. • When making requests to HTTPS servers, OpenTofu v1.10.6 and earlier could potentially use unbounded memory or crash with a "panic" error if TLS verification involves an excessively-long certificate chain or a chain including DSA public keys. This affected all outgoing HTTPS requests made by OpenTofu itself, including requests to HTTPS-based state storage backends, module registries, and provider registries. For example, an attacker could coerce a root module author to depend (directly or indirectly) on a module they control which then refers to a module or provider from an attacker-controlled registry. That mode of attack would cause failures in

tofu init

, at module or provider installation time. Provider plugins contain their own HTTPS client code, which may have similar problems. OpenTofu v1.10.7 cannot address similar problems within provider plugins, and so we recommend checking for similar advisories and fixes in the provider plugins you use. This release incorporates upstream fixes for CVE-2025-58185, CVE-2025-58187, and CVE-2025-58188. BUG FIXES: • Fix crash in tofu test when using deprecated outputs (#​3249) • Fix missing provider functions when parentheses are used (#​3402) •

for_each

inside

dynamic

blocks can now call provider-defined functions. (#​3429) Full Changelog: opentofu/opentofu@v1.10.6...v1.10.7 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5966 chore(deps): update dependency vue to v3.5.24 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------------------------------ | --------------- | ------ | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vue](https://redirect.github.com/vuejs/core/tree/main/packages/vue#readme) ([source](https://redirect.github.com/vuejs/core)) | devDependencies | patch | [3.5.22 -> 3.5.24](https://renovatebot.com/diffs/npm/vue/3.5.22/3.5.24) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e1691da63d6ce4d0e287d7d5cd665594be0b5c9101500763a51a848101abc0ce/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f7675656a732f636f72652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vuejs/core) | --- ### Release Notes vuejs/core (vue) ### `v3.5.24` Compare Source ##### Reverts • Revert "fix(compiler-core): correctly handle ts type assertions in expression…" (#​14062) (11ec51a), closes #​14062 #​14060 ### `v3.5.23` Compare Source ##### Bug Fixes • compiler-core: correctly handle ts type assertions in expressions (#​13397) (e6544ac), closes #​13395 • compiler-core: fix v-bind shorthand handling for in-DOM templates (#​13933) (b3cca26), closes #​13930 • compiler-sfc: resolve numeric literals and template literals without expressions as static property key (#​13998) (75d44c7) • compiler-ssr: textarea with v-text directive SSR (#​13975) (006a0c1) • compiler: using guard instead of non-nullish assertion (#​13982) (dcc6f36) • custom-element: batch custom element prop patching (#​13478) (c13e674), closes #​12619 • custom-element: optimize slot retrieval to avoid duplicates (#​13961) (84ca349), closes #​13955 • hydration: avoid mismatch during hydrate text with newlines in interpolation (#​9232) (6cbdf78), closes #​9229 • runtime-core: pass props and children to loadingComponent (#​13997) (40c4b2a) • runtime-dom: ensure iframe sandbox is handled as an attribute to prevent unintended behavior (#​13950) (5689884), closes #​13946 • suspense: clear placeholder and fallback el after resolve to enable GC (#​13928) (f411c66) • transition-group: use offsetLeft and offsetTop instead of getBoundingClientRect to avoid transform scale affect animation (#​6108) (dc4dd59), closes #​6105 • v-model: handle number modifier on change (#​13959) (8fbe48f), closes #​13958 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5968 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • <https://nvd.nist.gov/vuln/detail/CVE-2025-58181|htt… runatlantis/atlantis

#5969 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.35) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • <https://nvd.nist.gov/vuln/detail/CVE-2025-58181|htt… runatlantis/atlantis

#5970 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.36) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/d5e9e2d48ab3a8303e003e3644d6a42caa0bb32e1683dbd0b00e7f84d9d40988/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • <https://nvd.nist.gov/vuln/detail/CVE-2025-58181|htt… runatlantis/atlantis

#5971 fix: Nil pointer dereference in atlantis version command Pull request opened by Adamovix ## what Fixes #5972 Initialize DefaultTFDistribution field in VersionStepRunner to match pattern used by InitStepRunner, ApplyStepRunner, and ImportStepRunner. ## why Without this field,

atlantis version

command causes two bugs: Bug 1: Nil pointer panic • When terraform binary cache is empty (after Atlantis restart, upgrade, or cache clear) • Panic at terraform_client.go:509 when calling

dist.BinName()

on nil distribution Bug 2: Command failure on fresh instances • On fresh Atlantis instances with existing PRs • Fails with "no such file or directory" / "no projects to run version in" ## tests Reproduction: 1. Clear cached binaries:

rm -rf ~/.atlantis/bin/*

2. Run

atlantis version

Result: • Before fix: Panic with nil pointer dereference • After fix: Downloads required terraform version and executes successfully Tested on locally built Docker image with fix applied. ## references runatlantis/atlantis

#5241 fix: avoid performance degradation with Github and --hide-prev-plan-comments enabled Pull request opened by oleg-glushak ## what Switch from GitHub REST API to GitHub GraphQL for listing comments to expose the

isMinimized

attribute to avoid minimizing already minimized comments on each Atlantis command execution. ## why This helps to avoid performance degradation by minimizing only non-minimized Atlantis comments, as opposed to processing all comments sequentially on each Atlantis command execution. ## tests • I have tested my changes by running unit tests. • I have tested my changes by running this version of Atlantis and checking if the --hide-prev-plan-comments performance still works in general and the performance degradation disappears. ## references • Closes #5232 runatlantis/atlantis

#5973 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 Pull request opened by dependabot[bot] Bumps golang.org/x/crypto from 0.43.0 to 0.45.0. Commits • `4e0068c` go.mod: update golang.org/x dependencies • `e79546e` ssh: curb GSSAPI DoS risk by limiting number of specified OIDs • `f91f7a7` ssh/agent: prevent panic on malformed constraint • `2df4153` acme/autocert: let automatic renewal work with short lifetime certs • `bcf6a84` acme: pass context to request • `b4f2b62` ssh: fix error message on unsupported cipher • `79ec3a5` ssh: allow to bind to a hostname in remote forwarding • `122a78f` go.mod: update golang.org/x dependencies • `c0531f9` all: eliminate vet diagnostics • `0997000` all: fix some comments • Additional commits viewable in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9fd3112d3f307ff51db8f1c9fdf7513b8da6f7d9d0763fe7dd0c7beb93f359cc/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d676f6c616e672e6f72672f782f63727970746f267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d302e34332e30266e65772d76657273696f6e3d302e34352e30) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5974 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.43.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/665124b95a061a163e83c3ca34b90cb032298248d26988ab937da66ace696b1d/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e302f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-58181 • https://go.dev/cl/721961 • https://go.dev/issue/76363 • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4134 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. :no… runatlantis/atlantis

#5975 fix(gitea): add src as context for gitea status updates Pull request opened by maddawik ## what Updates the

GiteaClient.UpdateStatus

method so that

src

(which should be

atlantis/plan

or

atlantis/apply

afaict) is passed as the

Context

for the

gitea.CreateStatusOption

struct. This should give status checks names which can be seen in the UI and pattern matched against. This seems like how the other clients are passing the status name along as well. ## why This should make it possible for status checks to be pattern matched in branch protection rules. i.e.

atlantis/plan

and

atlantis/apply

could be explicitly required before merge. ## tests I don't see any related tests for the client though this is my first PR, so if I'm missing something I'm happy to address it. Edit: I tested this locally ### Before patch Status updates have no name, a branch protection rule that has

atlantis/*

means nothing in this context (see screenshot) [Screenshot 2025-11-23 at 1 03 16 AM](https://private-user-images.githubusercontent.com/8498296/517797920-dcbf3465-9ca1-4f26-9032-4a0950bdadf0.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5NzkyMC1kY2JmMzQ2NS05Y2ExLTRmMjYtOTAzMi00YTA5NTBiZGFkZjAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9OGRlZjJlNWYzOGVmY2E3NmM4ZjEwN2I5YmNiOWYwMjE5ODA1ZDNlMDllYTVmMmQzOWIwZTBiMjU3ODVkN2ViMiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.2p6MZp-hY9OlJ-5Dq0UewRg1bE0v59JBCDveupQ3pSo) ### After patch I built the patched version locally and re-ran a test, seeing context appear and able to assert branch protection rules. I think this was as simple as it seemed! [Screenshot 2025-11-23 at 12 53 07 AM](https://private-user-images.githubusercontent.com/8498296/517798033-7ab8744b-0d55-4c33-974d-13ec79755d04.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5ODAzMy03YWI4NzQ0Yi0wZDU1LTRjMzMtOTc0ZC0xM2VjNzk3NTVkMDQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NmQ4YTcxMmQzYzVhM2Q2NzY0NjE2YzhjMDVkMWY1MDI3ZmM5NGI2NzM5NThlYTI0NDZkOTIzYjQ3MTI1NTUzOSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.1Wf6hEVbiktVcD1egYIfx_zOBIOgD3DVAFNQYFb3Kfw) [Screenshot 2025-11-23 at 12 57 09 AM](https://private-user-images.githubusercontent.com/8498296/517798037-97c44f65-a2dc-4f8c-851c-99cf056149a6.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5ODAzNy05N2M0NGY2NS1hMmRjLTRmOGMtODUxYy05OWNmMDU2MTQ5YTYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Y2U4NDVjN2U0YWNkNDljNTk1NzA3YTA5NGRlYjJhNTNjYWY3ODAxYTFjMGRhNzBkNTU5MGM3YTcwODYyMDYyMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.7oxalFYNVKOBGom1_uCTA7XPxKF7YbV333LlrdNDqok) ## references Closes #5802 runatlantis/atlantis

#5978 feat: Add plan webhook support Pull request opened by hjk1996 ## what • Added event-aware webhook wiring to support both plan and apply (typed Event + ConfiguredSender, event set on payload, filtered dispatch). • Updated project runner to send plan/apply webhooks with the correct event and adjusted Slack attachment text to use the event name. • Extended webhook tests to cover plan configs and event filtering. ## why To deliver plan results through the webhook pipeline, and to make webhook payloads/messages clearly identify which event triggered them. ## tests • Added webhook tests for plan config and event filtering • Ran locally:

go test ./server/events/webhooks

(passes) ## references • #5707 runatlantis/atlantis

#5979 feat: support destroy_execution_order_group Pull request opened by romuloslv ## what This pull request enables

destroy_execution_order_group

## why To support reverse execution order during destroy operations

atlantis plan/apply -- -destroy

. Currently, Atlantis supports

execution_order_group

for both resource creation and destruction. However, when hierarchical dependencies exist, resource destruction must occur in reverse order (children before parents). The implementation adds automatic detection of the

-destroy

flag, calculates effective execution groups based on operation type, and maintains backward compatibility with existing configurations. Both destructive and non-destructive global plan/apply operations work correctly in the same PR - regular operations use

execution_order_group

while destroy operations use

destroy_execution_order_group

, allowing users to safely test both creation and destruction workflows before merging. ## tests Tests added in • server/core/config/raw/project_test.go • server/events/apply_command_runner_test.go • server/events/plan_command_runner_test.go • server/events/project_command_pool_executor_test.go ## references • #2243 runatlantis/atlantis

#5977 chore: Add license references to files that don't have them Pull request opened by lukemassa ## what Add license references to files that don't have them ## why I noticed a number of files have the old

Copyright 2017 HootSuite Media Inc.

from before the project was made open source. We don't want remove that per the license, but for new files we should be tracking the copyright status. I used the https://github.com/google/addlicense tool to makes sure all newer go files have a license using the condensed SPDX format, and labeling the copyright owners as The Atlantis Authors. I also added a check to CI so we wouldn't forget to add them to new files. Longer term we can add to files other than go, I just wanted to start us off somewhere. ## tests I ran the script a few times ## references N/A runatlantis/atlantis

#5980 fix: Fail policy checks when Rego syntax errors occur Pull request opened by edbighead ## what This change ensures that any conftest execution error (including parse errors) correctly marks the policy as failed, preventing plans from bypassing policy enforcement due to syntax issues ## why Previously, when conftest encountered Rego parse errors, the policy check would incorrectly pass because the code only checked for test failures in the output, not command execution errors. This created a security vulnerability where broken policies would allow all plans to proceed. ## tests • I have tested my changes with unit tests ## references After updating

atlantis

which uses

conftest 0.63.0

, policies were passing even though rego syntax was wrong.

{"level":"error","ts":"2025-11-25T09:00:44.892Z","caller":"events/project_command_runner.go:559","msg":"[{\"PolicySetName\":\"common-policies\",\"PolicyOutput\":\"Error: running test: load: loading policies: load: 2 errors occurred during loading:\\n/opt/atlantis/policies/plan_rds_test.rego:41: rego_parse_error: `if` keyword is required before rule body\\n/opt/atlantis/policies/plan_rds_test.rego:45: rego_parse_error: `if` keyword is required before rule body\\n\",\"Passed\":true,\"ReqApprovals\":1,\"CurApprovals\":0}]","json":{"repo":"myorg/myrepo","pull":"72176"},"stacktrace":"<http://github.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPolicyCheck|github.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPolicyCheck>\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:559\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:265\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:42\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:48\ngithub.com/runatlantis/atlantis/server/events.(*PolicyCheckCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/policy_check_command_runner.go:65\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).runAutoplan\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:177\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:319\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunAutoplanCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:251"}
{"level":"info","ts":"2025-11-25T09:00:44.892Z","caller":"events/instrumented_project_command_runner.go:88","msg":"policy_check success. output available at: <https://github.com/myorg/myrepo/pull/72176%22,%22json%22:{%22repo%22:%22myorg/myrepo%22,%22pull%22:%2272176%22}}|https://github.com/myorg/myrepo/pull/72176","json":{"repo":"myorg/myrepo","pull":"72176"}}>

• https://support.hashicorp.com/hc/en-us/articles/43942069326483-OPA-Policy-Evaluations-Fail-With-Errors-if-keyword-is-required-before-rule-body-and-contains-keyword-is-required-for-partial-set-rules runatlantis/atlantis