#5611 fix: Azure DevOps plan (issue 5507) Pull request opened by bub3n ## what Fix for #5507 ## why In the Atlantis GitHub issue #5507, there was a problem with downloading Git diff changes. The issue appeared after adding the top and skip arguments to the Git diff call. Previously, this endpoint did not return the changeCounts key when called with different arguments. You can also see this in test scenario in

azuredevops/git_test.go

(link) which does not reflect that. And if you compare it to the Azure Devops documentation it's missing

changeCounts

key. To fix this, I updated the

GitCommitDiffs

struct by changing the key to a string type, aligning it with other structs with

changeCounts

key for consistency. ## tests

make test-all

went thru without errors. And thanks to @leonardocaylent for testing the new build with the change in his environment. ## references runatlantis/atlantis

#5612 chore(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 Pull request opened by dependabot[bot] Bumps github.com/cloudflare/circl from 1.6.0 to 1.6.1. Release notes Sourced from github.com/cloudflare/circl's releases.

## CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.

• Hybrid KEM fails on low-order points.

### What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by `@​Lekensteyn` in cloudflare/circl#541

• .github: Use native ARM64 builders instead of QEMU by `@​Lekensteyn` in cloudflare/circl#542

• Fixes several errors on twisted Edwards curves. by `@​armfazh` in cloudflare/circl#545

• Release v1.6.1 by `@​armfazh` in cloudflare/circl#546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

Commits • `c6d33e3` Release v1.6.1 • `0c3868e` curve4q: Shared must fail with low order points. • `9fd570d` curve4q: Test showing DH does not fails on identity point. • `c988ceb` fourq: Correctly unmarshalling point. • `ef2611d` fourq: Test showing point unmarshal fails. • `05eba44` fourq: Handle the case of Z=0 for IsOnCurve and IsEqual. • `eef0878` fourq: Test showing isEqual and IsOnCurve fail. • `2298474` goldilocks; Handling points with z=0. • `5a940a1` goldilocks: Test for IsEqual must fail with Z=0 • `48c3b6a` ed25519: Fix isEqual to handle points with Z=0. • Additional commits viewable in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9998cfc587775338654e4edbcc339872b1e9819720cb57716380c4dd2d16b9ba/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6769746875622e636f6d2f636c6f7564666c6172652f636972636c267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d312e362e30266e65772d76657273696f6e3d312e362e31) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

@Amit has left the channel

#5613 chore(deps): update go to v1.24.4 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.24.2 -> 1.24.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | golang | final | patch | 1.24.2 -> 1.24.4 | | | golang | stage | patch | 1.24.2-alpine -> 1.24.4 | | --- ### Release Notes golang/go (go) ### `v1.24.4` ### `v1.24.3` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5241 fix: avoid performance degradation with Github and --hide-prev-plan-comments enabled Pull request opened by oleg-glushak ## what Switch from GitHub REST API to GitHub GraphQL for listing comments to expose the

isMinimized

attribute to avoid minimizing already minimized comments on each Atlantis command execution. ## why This helps to avoid performance degradation by minimizing only non-minimized Atlantis comments, as opposed to processing all comments sequentially on each Atlantis command execution. ## tests • I have tested my changes by running unit tests. • I have tested my changes by running this version of Atlantis and checking if the --hide-prev-plan-comments performance still works in general and the performance degradation disappears. ## references • Closes #5232 runatlantis/atlantis

#5617 fix: Allow main branch invocation with merge strategy Pull request opened by osherdp ## what This is basically a re-work of #4851. I cherry-picked the original commits by the author and added some testing for the functionality. • Updating mergeToBaseBranch logic to only checkout by pull/{pr.number}/head if there is indeed a pull request number specified as part of the plan/apply. • This change should mitigate this error:

failed to build command: running git fetch origin pull/0/head:: fatal: couldn't find remote ref pull/0/head

• Updating clone logic to skip using HEAD^2 when using the checkout merge strategy whilst no PR number is specified. If a plan is triggered remotely on main for instance, this leads to 128 errors from git:

will re-clone repo, could not determine if was at correct commit: git rev-parse HEAD^2: exit status 128: fatal: ambiguous argument 'HEAD^2': unknown revision or path not in the working tree.

• Updating logic to skip making a VCS call when there isn't a pull request. This mitigates this error:

updating project PR status%!(EXTRA *github.ErrorResponse=POST <https://api.github.com/repos/<your-org>/<your-terraform-repo>/statuses/master>: 422 Validation Failed [{Resource:Status Field:sha Code:custom Message:sha must be a 40 character SHA1}])...

## why This should fix the issue detailed in /api/plan throws 500 error when using GitHub App #4850 Per the docs, POSTs to /api/plan and /api/apply can optionally omit the PR parameter. Therefore, we should check to see if it's 0 before pivoting to a pull request based reference checkout. We shouldn't make calls to VCS if there is no pull request to update statuses on. This leads to 422 errors that can be avoided. ## tests Added a unit-test for the main fix of this work. I also manually tested the use of

ATLANTIS_CHECKOUT_STRATEGY=merge

in our internal systems. Our drift detection mechanism calls

<ATLANTIS_URL>/api/plan

and looks into the output of the plans to make sure no changes are required. ## references https://github.com/runatlantis/atlantis/blob/6fe0303279839faadb76e94de94d7c250876b336/runatlantis.io/docs/api-endpoints.md#post-apiplan Should close #4850 runatlantis/atlantis

#5504 chore(deps): update module golang.org/x/oauth2 to v0.27.0 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/oauth2 | v0.18.0 -> v0.27.0 | [[age](https://camo.githubusercontent.com/e0b0a462b253a22db1d1a328fee6b6f73e6129bc6e379d261ba0a7643cd12ce2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/44b941a5c0ee9612caf637e54b7c0a7bba081db2453a885378a1aacebb71fee1/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/adc8c15ab83cdc744af954792e6b9c9ed6f2654f783808a42980cc13c23a2dfd/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e31382e302f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/012cd1e3486c030a9a0f7c68b75b63a00b342919530bc79693e94768ce89b5c0/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e31382e302f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/oauth2 | v0.6.0 -> v0.27.0 | [[age](https://camo.githubusercontent.com/e0b0a462b253a22db1d1a328fee6b6f73e6129bc6e379d261ba0a7643cd12ce2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/44b941a5c0ee9612caf637e54b7c0a7bba081db2453a885378a1aacebb71fee1/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/b2084d0ea0353616d4841ffd3618f621ed19f3b16cc6708f7f4691e9b4d8c054/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e362e302f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/ca0d629b90db8d73dd1f1c64d4f2e90601a02ce5ef23676d0a9b09af998aadfb/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666f61757468322f76302e362e302f76302e32372e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Unexpected memory consumption during token parsing in golang.org/x/oauth2 CVE-2025-22868 / GHSA-3wqc-mwfx-672p / GO-2025-3488 More information #### Details An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. #### Severity Unknown #### References • https://go.dev/cl/652155 • https://go.dev/issue/71490 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5618 fix: api 500er with policy, check getCommands index against commentCommand lenght Pull request opened by jochen ## what If the api is called for plan and policies are activated, the commentCommand is shorter than the count of cmds. This leads to a 500. The check prevents a crash here and a warning is issued. I could not find out why there is a discrepancy here. ## why First of all to prevent the crash and thus prevent the 500. The warning can then help to recognize the cases when both counts deviate from each other. ## tests Tests were carried out manually, after the change there were no more api/plan 500s with activated policies. ## references It may alsocloses a GitHub issue

#4318

, but you cannot see whether policies are active. runatlantis/atlantis

#5619 Install terragrunt Pull request opened by plenti-bill-ngo runatlantis/atlantis

#5621 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | patch | v1.6.0 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | ### GitHub Vulnerability Alerts #### GHSA-2x5j-vhc8-9cwm ### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5622 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-0.32) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | minor | v1.3.9 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 ### `v1.6.0`: CIRCL v1.6.0 Compare Source #### CIRCL v1.6.0 ##### New! • Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf). • X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem) ##### What's Changed • Add OIDs to ML-DSA by @​bwesterb in https://github.com/cloudflare/circl/pull/519 • Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in https://github.com/cloudflare/circl/pull/522 • Run semgrep cronjob only in upstream repository. by @​armfazh in https://github.com/cloudflare/circl/pull/526 • X-Wing PQ/T hybrid by @​bwesterb in https://github.com/cloudflare/circl/pull/471 • ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in https://github.com/cloudflare/circl/pull/529 • hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in https://github.com/cloudflare/circl/pull/530 • prio3: Adds polynomial multiplication using NTT by @​armfazh in https://github.com/cloudflare/circl/pull/532 • Add Prio3 in readme. by @​armfazh in https://github.com/cloudflare/circl/pull/527 ##### New Contributors • @​MingLLuo made their first contribution in https://github.com/cloudflare/circl/pull/529 Full Changelog: cloudflare/circl@v1.5.0...v1.6.0 ### <https://redirect.github.com/cloudflare/circl/releases/tag/v1.5.0|`v… runatlantis/atlantis

#5623 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | minor | v1.3.9 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 ### `v1.6.0`: CIRCL v1.6.0 Compare Source #### CIRCL v1.6.0 ##### New! • Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf). • X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem) ##### What's Changed • Add OIDs to ML-DSA by @​bwesterb in https://github.com/cloudflare/circl/pull/519 • Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in https://github.com/cloudflare/circl/pull/522 • Run semgrep cronjob only in upstream repository. by @​armfazh in https://github.com/cloudflare/circl/pull/526 • X-Wing PQ/T hybrid by @​bwesterb in https://github.com/cloudflare/circl/pull/471 • ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in https://github.com/cloudflare/circl/pull/529 • hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in https://github.com/cloudflare/circl/pull/530 • prio3: Adds polynomial multiplication using NTT by @​armfazh in https://github.com/cloudflare/circl/pull/532 • Add Prio3 in readme. by @​armfazh in https://github.com/cloudflare/circl/pull/527 ##### New Contributors • @​MingLLuo made their first contribution in https://github.com/cloudflare/circl/pull/529 Full Changelog: cloudflare/circl@v1.5.0...v1.6.0 ### <https://redirect.github.com/cloudflare/circl/releases/tag/v1.5.0|`v… runatlantis/atlantis

#5624 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | minor | v1.3.9 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 ### `v1.6.0`: CIRCL v1.6.0 Compare Source #### CIRCL v1.6.0 ##### New! • Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf). • X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem) ##### What's Changed • Add OIDs to ML-DSA by @​bwesterb in https://github.com/cloudflare/circl/pull/519 • Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in https://github.com/cloudflare/circl/pull/522 • Run semgrep cronjob only in upstream repository. by @​armfazh in https://github.com/cloudflare/circl/pull/526 • X-Wing PQ/T hybrid by @​bwesterb in https://github.com/cloudflare/circl/pull/471 • ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in https://github.com/cloudflare/circl/pull/529 • hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in https://github.com/cloudflare/circl/pull/530 • prio3: Adds polynomial multiplication using NTT by @​armfazh in https://github.com/cloudflare/circl/pull/532 • Add Prio3 in readme. by @​armfazh in https://github.com/cloudflare/circl/pull/527 ##### New Contributors • @​MingLLuo made their first contribution in https://github.com/cloudflare/circl/pull/529 Full Changelog: cloudflare/circl@v1.5.0...v1.6.0 ### <https://redirect.github.com/cloudflare/circl/releases/tag/v1.5.0|`v… runatlantis/atlantis

#5625 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-action) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | patch | v1.6.0 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5626 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-branches) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | patch | v1.6.0 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @​armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @​armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5570 fix: preserve Atlantis apply lock after plan Pull request opened by yasinlachiny ## what Updated Atlantis behavior to retain the apply lock when re-running plan if there are no changes. Ensured the lock is only removed when actual changes are detected between re-runs ## why Addresses community-reported issue #5568 where users observed unintended lock removals during no-op plans. Fixes an issue where Atlantis incorrectly removes the apply lock when a plan is re-run, even if no changes are detected. Preserves expected workflow and safety in CI/CD pipelines by preventing premature unlocks ## tests ✅ Manually tested locally: Created an apply lock by running plan and apply. Re-ran plan without making any changes — lock was preserved as expected. Introduced a change and re-ran plan — lock was correctly removed. Verified this behavior in a multi-project repository setup. ## references Fixes: #5568 runatlantis/atlantis

#5628 feat: implement enhanced plan queue and locking system Pull request opened by jamengual ## Overview This PR implements a comprehensive enhanced plan queue and locking system that addresses long-standing issues with Atlantis locking and workspace management. The system provides better handling of concurrent operations, reduces user frustration, and improves overall system reliability. ## 🚀 Features ### 1. Plan Queue Functionality • Queues plan requests when locks are unavailable instead of immediately failing • Automatic lock transfer to the next person in queue when locks are released • User notifications about queue position and when it's their turn • Configurable via

--enable-plan-queue=true

### 2. Lock Retry Logic • Automatic retry of lock acquisition with configurable delays • Configurable attempts via

--lock-retry-max-attempts=3

• Configurable delays via

--lock-retry-delay=5

• Configurable via

--enable-lock-retry=true

### 3. Enhanced Project Locking • Memory-based locking to prevent race conditions • Working directory protection to prevent premature cleanup • Automatic cleanup of locks and protections • Better error handling and user feedback ### 4. Queue Management • Persistent queue state across server restarts • Queue position tracking and notifications • Automatic queue cleanup when PRs are closed • Configurable queue behavior ## 🔧 Configuration All new features are opt-in and can be enabled via command-line flags: # Enable plan queue functionality --enable-plan-queue=true # Enable lock retry logic --enable-lock-retry=true # Configure retry attempts (default: 3) --lock-retry-max-attempts=5 # Configure retry delay in seconds (default: 5) --lock-retry-delay=10 ## 📊 Performance Impact • Minimal overhead when features are disabled (default) • Efficient memory usage with configurable limits • Non-blocking operations for better responsiveness • Graceful degradation when features are unavailable ## 🧪 Testing • Comprehensive unit tests for all new functionality • Integration tests for queue and locking behavior • Race condition tests to ensure thread safety • Performance benchmarks for critical paths ## 📚 Documentation • Updated server configuration documentation • Usage examples and best practices • Troubleshooting guide for common issues • Migration guide for existing deployments ## 🔒 Security • No breaking changes to existing security model • Maintains existing authentication and authorization • Audit trail for all queue and lock operations • Configurable access controls for queue management ## 🚨 Breaking Changes None - All new features are opt-in and disabled by default. Existing deployments will continue to work without any configuration changes. ## 🔗 Related Issues This PR addresses several long-standing issues and builds upon previous work: • ADR #3345 - Project Locks - Architecture decision for project-level locking • PR #4997 - Lock Retry Logic - Previous implementation of lock retry functionality • Issue #1914 - Workspace lock creation - Original issue about workspace locking behavior • Issue #2200 - Lock creation for no apparent reason - Issue about unexpected lock creation • Issue #3336 - Race condition between hooks and cleanup - Race condition issues in locking system ## 🎯 Future Enhancements • Priority-based queuing for urgent changes • Queue analytics and metrics • Webhook integration for queue events • Advanced scheduling algorithms • Multi-region queue support ## 📝 Changelog ### Added • Plan queue functionality with automatic lock transfer • Lock retry logic with configurable attempts and delays • Enhanced project locking with memory-based protection • Working directory protection to prevent premature cleanup • Comprehensive queue management and notifications • New configuration flags for all features ### Changed • Improved error handling and user feedback • Better race condition prevention • Enhanced logging for debugging ### Fixed • Race conditions in lock acquisition • Premature working directory cleanup • Inconsistent lock behavior across concurrent operations ## 🤝 Contributing This feature was developed with input from the Atlantis community and addresses real-world usage patterns. We welcome feedback and contributions to further improve the system. runatlantis/atlantis

#5359 fix: UI Jobs streams are not cleaned up after PR is closed Pull request opened by joe1981al ## what • Update

func (p *PullClosedExecutor) CleanUpPull

to use the updated definition of `PullInfo ## why • see related issue • this commit updated the definition of

PullInfo

•

PullInfo

wasn't updated in function used to cleanup job info, so matches were not found in the mapping ## tests • tested in my local environment with PRs from Azure Devops ## references • see issue runatlantis/atlantis

#5631 docs: add version annotations to server configuration and repo-level atlantis.yaml Pull request opened by jamengual ## Summary This PR adds version annotations to the Atlantis documentation to help users understand when each feature was introduced. ## Changes ### Server Configuration Documentation • Added version badges to all 80+ server configuration flags • Each flag now shows when it was introduced (e.g.,

<Badge text="v0.17.0" type="info"/>

) • Covered flags from core features (v0.1.0+) to the latest features (v0.48.0+) ### Repo-Level atlantis.yaml Configuration • Added version annotations to all configuration keys in the example • Covered top-level keys, project-level keys, and specific features • Included version information for features like: •

automerge

(v0.15.0+) • `parallel_plan`/`parallel_apply` (v0.17.0+) •

autodiscover

(v0.18.0+) •

terraform_distribution

(v0.25.0+) • And many more ### Analysis Document • Created

atlantis-features-version-analysis.md

with comprehensive feature analysis • Documents all features and their introduction versions based on changelog analysis ## Benefits • Users can now see exactly when each feature was introduced • Migration planning becomes easier with clear version requirements • Feature compatibility is immediately visible • Documentation is more informative for users on different Atlantis versions ## Version Information Sources The version annotations are based on: 1. CHANGELOG.md analysis 2. GitHub releases research 3. Merged PRs investigation 4. Code analysis for feature introduction points This makes the documentation much more useful for users who need to understand feature availability across different Atlantis versions. runatlantis/atlantis

#5632 fix(docs): generate release notes Pull request opened by jamengual This pull request includes a minor update to the

.github/release.yml

file. The change removes the lock emoji from the "Security changes" section title for consistency with the other section titles. runatlantis/atlantis

#5501 fix(deps): update module github.com/redis/go-redis/v9 to v9.7.3 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------- | ------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/redis/go-redis/v9](https://redirect.github.com/redis/go-redis) | require | patch | v9.7.0 -> v9.7.3 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/81bc66dea520e227046bc99b3aa2ed6d1bf73e3705b6380978c0f61d0b80bf4c/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f72656469732f676f2d72656469732f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/redis/go-redis) | --- ### Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis CVE-2025-29923 / GHSA-92cp-5422-2mw7 / GO-2025-3540 More information #### Details Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis #### Severity Unknown #### References • https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7 • https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6 • https://github.com/redis/go-redis/pull/3295 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Release Notes redis/go-redis (github.com/redis/go-redis/v9) ### `v9.7.3` Compare Source #### What's Changed • fix: handle network error on SETINFO (#​3295) (CVE-2025-29923) • Deprecating misspelled

DisableIndentity

flag in the client options. • Introducing

DisableIdentity

flag in the client options. • Updating the documentation related to the new flag and the one that was deprecated. Full Changelog: redis/go-redis@v9.7.1...v9.7.3 ### `v9.7.2` Compare Source ### `v9.7.1` Compare Source ### Changes • Recognize byte slice for key argument in cluster client hash slot computation (#​3049) • fix(search&aggregate):fix error overwrite and typo #​3220 (#​3224) • fix: linter configuration (#​3279) • fix(search): if ft.aggregate use limit when limitoffset is zero (#​3275) • Reinstate read-only lock on hooks access in dialHook to fix data race (#​3225) • fix: flaky ClientKillByFilter test (#​3268) • chore: fix some comments (#​3226) • fix(aggregate, search): ft.aggregate bugfixes (#​3263) • fix: add unstableresp3 to cluster client (#​3266) • Fix race condition in clusterNodes.Addrs() (#​3219) • SortByWithCount FTSearchOptions fix (#​3201) • Eliminate redundant dial mutex causing unbounded connection queue contention (#​3088) • Add guidance on unstable RESP3 support for RediSearch commands to README (#​3177) #### 🚀 New Features • Add guidance on unstable RESP3 support for RediSearch commands to README (#​3177) #### 🐛 Bug Fixes • fix(search): if ft.aggregate use limit when limitoffset is zero (#​3275) • fix: add unstableresp3 to cluster client (#​3266) • fix(aggregate, search): ft.aggregate bugfixes (#​3263) • SortByWithCount FTSearchOptions fix (#​3201) • Recognize byte slice for key argument in cluster client hash slot computation (#​3049) #### Contributors We'd like to thank all the contributors who worked on this release! @​ofekshenawa, @​Cgol9, @​LINKIWI, @​shawnwgit, @​zhuhaicity, @​bitsark, @​vladvildanov, @​ndyakov Full Changelog: redis/go-redis@v9.7.0...v9.7.1 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5633 docs: add release cadence document Pull request opened by jamengual This PR adds a new RELEASE_CADENCE.md document that describes the monthly release cycle for Atlantis. ## Changes • Added comprehensive release cadence documentation • Describes monthly release schedule (first or last week of each month) • Includes versioning strategy, release criteria, and emergency procedures • Provides guidelines for contributors and maintainers ## Key Features • Monthly cadence: Once per month, either first week OR last week • Semantic versioning: Clear guidelines for major/minor/patch releases • Release criteria: Simple checklist for when a release is ready • Emergency procedures: Process for critical security issues • Communication guidelines: How releases are announced This document will help establish predictable release cycles and improve project management for Atlantis. runatlantis/atlantis

#5550 chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-0.32) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.36.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/c6f84ae4e14713523cb1898d3a4a4cd5693d08913d33970acad58d753ab1178e/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/46754d081520b7dddd67231f3ba0724238b2c5fa1ba39c9a732e0034739f8187/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/9810c1580c594ae2abbe137b563959d9c8fc66f05cbcce4a10c763d0d475c5e2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-22872 • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA • https://pkg.go.dev/vuln/GO-2025-3595 • https://security.netapp.com/advisory/ntap-20250516-0007 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity Unknown #### References • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the <https://developer.mend.io/github/runatlantis/atlantis|repository j… runatlantis/atlantis

#5562 chore(deps): update dependency vite to v5.4.19 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | patch | [5.4.12 -> 5.4.19](https://renovatebot.com/diffs/npm/vite/5.4.12/5.4.19) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | ### GitHub Vulnerability Alerts #### CVE-2025-46565 ### Summary The contents of files in the project `root` that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project `root` and are denied by a file matching pattern can be bypassed. • Examples of file matching patterns:

.env

,

.env.*

,

*.{crt,pem}

,

**/.env

• Examples of other patterns:

**/.git/**

,

.git/**

,

.git/**/*

### Details `server.fs.deny` can contain patterns matching against files (by default it includes

.env

,

.env.*

,

*.{crt,pem}

as such patterns). These patterns were able to bypass for files under

root

by using a combination of slash and dot (

/.

). ### PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>

[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462) [image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363) --- ### Vite bypasses server.fs.deny when using ?raw?? CVE-2025-30208 / GHSA-x574-m823-4x7w More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using

--host

or `server.host` config option) are affected. ##### Details

@fs

denies access to files outside of Vite serving allow list. Adding

?raw??

or

?import&raw??

to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as

?

are removed in several places, but are not accounted for in query string regexes. ##### PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt ##### expected behaviour $ curl "http://localhost:5173/@&amp;#8203;fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list. ##### security bypassed $ curl "http://localhost:5173/@&amp;#8203;fs/tmp/secret.txt?import&amp;raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w • https://nvd.nist.gov/vuln/detail/CVE-2025-30208 • https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4 • https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c • https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41 • https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca • https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1 • https://github.com/vitejs/vite This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Vite has a

server.fs.deny

bypassed for

inline

and

raw

with

?import

query CVE-2025-31125 / GHSA-4r4m-qw57-chr8 More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using

--host

or `server.host` config option) are affected. ##### Details • base64 encoded content of non-allowed files is exposed using

?inline&import

(originally reported as

?import&?inline=1.wasm?init

) • content of non-allowed files is exposed using

?raw?import

/@​fs/

isn't needed to reproduce the issue for files inside the proj… runatlantis/atlantis

#5499 chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/golang-jwt/jwt/v4](https://redirect.github.com/golang-jwt/jwt) | indirect | patch | v4.5.1 -> v4.5.2 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/fb7c1a0af8ca751d2b970fdaf32cd55119933607bbb217758cfd6f44ed8d4fec/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672d6a77742f6a77742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang-jwt/jwt) | --- ### Excessive memory allocation during header parsing in github.com/golang-jwt/jwt CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553 More information #### Details Excessive memory allocation during header parsing in github.com/golang-jwt/jwt #### Severity Unknown #### References • https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### jwt-go allows excessive memory allocation during header parsing CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553 More information #### Details ##### Summary Function `parse.ParseUnverified` currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of

Bearer

followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) ##### Details See `parse.ParseUnverified` ##### Impact Excessive memory allocation #### Severity • CVSS Score: 7.5 / 10 (High) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

#### References • https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp • https://nvd.nist.gov/vuln/detail/CVE-2025-30204 • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 • https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb • https://github.com/golang-jwt/jwt • https://security.netapp.com/advisory/ntap-20250404-0002 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes golang-jwt/jwt (github.com/golang-jwt/jwt/v4) ### `v4.5.2` Compare Source See GHSA-mh63-6h87-95cp Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5500 fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------- | ------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/golang-jwt/jwt/v5](https://redirect.github.com/golang-jwt/jwt) | require | patch | v5.2.1 -> v5.2.2 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/fb7c1a0af8ca751d2b970fdaf32cd55119933607bbb217758cfd6f44ed8d4fec/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672d6a77742f6a77742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang-jwt/jwt) | --- ### Excessive memory allocation during header parsing in github.com/golang-jwt/jwt CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553 More information #### Details Excessive memory allocation during header parsing in github.com/golang-jwt/jwt #### Severity Unknown #### References • https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### jwt-go allows excessive memory allocation during header parsing CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553 More information #### Details ##### Summary Function `parse.ParseUnverified` currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of

Bearer

followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) ##### Details See `parse.ParseUnverified` ##### Impact Excessive memory allocation #### Severity • CVSS Score: 7.5 / 10 (High) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

#### References • https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp • https://nvd.nist.gov/vuln/detail/CVE-2025-30204 • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 • https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb • https://github.com/golang-jwt/jwt • https://security.netapp.com/advisory/ntap-20250404-0002 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes golang-jwt/jwt (github.com/golang-jwt/jwt/v5) ### `v5.2.2` Compare Source #### What's Changed • Fixed GHSA-mh63-6h87-95cp by @​mfridman • Fixed some typos by @​Ashikpaul in https://github.com/golang-jwt/jwt/pull/382 • build: add go1.22 to ci workflows by @​mfridman in https://github.com/golang-jwt/jwt/pull/383 • Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in https://github.com/golang-jwt/jwt/pull/387 • Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in https://github.com/golang-jwt/jwt/pull/389 • chore: bump ci tests to include go1.23 by @​mfridman in https://github.com/golang-jwt/jwt/pull/405 • Fix jwt -show by @​AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406 • docs: typo by @​kvii in https://github.com/golang-jwt/jwt/pull/407 • Update SECURITY.md by @​oxisto in https://github.com/golang-jwt/jwt/pull/416 • Update

jwt.Parse

example to use

jwt.WithValidMethods

by @​mattt in https://github.com/golang-jwt/jwt/pull/425 #### New Contributors • @​Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382 • @​kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407 • @​mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425 Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ *Rebasin… runatlantis/atlantis

#5502 chore(deps): update module golang.org/x/crypto to v0.35.0 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.31.0 -> v0.35.0 | [[age](https://camo.githubusercontent.com/8f3496104d5999ade523bafb73aa0a6bd55f7178ec9765c66cad8595f2b1a07c/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/ba8a611fc8190b2dbc016eee76a4bf70e03e4ff75c25dd7f8693e1d232e856da/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/469ad5436771fbd857a1046092809405843ddb6d8b3f37f097ee1c496c56a3ab/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33312e302f76302e33352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/2dcc630ccd289629900ff404628deb58dc2aa39004f2a9d234ff73e37c12bfad/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33312e302f76302e33352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487 More information #### Details SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. #### Severity • CVSS Score: 7.5 / 10 (High) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-22869 • https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 • https://github.com/golang/crypto • https://go-review.googlesource.com/c/crypto/+/652135 • https://go.dev/cl/652135 • https://go.dev/issue/71931 • https://pkg.go.dev/vuln/GO-2025-3487 • https://security.netapp.com/advisory/ntap-20250411-0010 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Potential denial of service in golang.org/x/crypto CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487 More information #### Details SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. #### Severity Unknown #### References • https://go.dev/cl/652135 • https://go.dev/issue/71931 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5503 chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.33.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/c6f84ae4e14713523cb1898d3a4a4cd5693d08913d33970acad58d753ab1178e/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/b83fce873e68fad1f9edc744088db2219e90f05823e6f392311d3464abbd2bce/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33332e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/ffc33f232f43b8d0d074d8b0a739fd5129e3b9216fb88b1a1be4a9de56891245/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33332e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503 More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity • CVSS Score: 4.4 / 10 (Medium) • Vector String:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-22870 • https://go-review.googlesource.com/q/project:net • https://go.dev/cl/654697 • https://go.dev/issue/71984 • https://pkg.go.dev/vuln/GO-2025-3503 • https://security.netapp.com/advisory/ntap-20250509-0007 • http://www.openwall.com/lists/oss-security/2025/03/07/2 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503 More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity Unknown #### References • https://go.dev/cl/654697 • https://go.dev/issue/71984 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String: `CVSS4.0/AVN/ACL/ATN/PRN/UIP/VCN/VIN/VAN/SCL/… runatlantis/atlantis

#5579 chore(deps): Convert go yaml to goccy yaml Pull request opened by lukemassa ## what Convert from gopkg.in/yaml.v3 to github.com/goccy/go-yaml ## why https://github.com/go-yaml/yaml has been officially deprecated. ## tests Unit tests ## references runatlantis/atlantis

#5584 ci: release branches for security updates only Pull request opened by nitrocode ## what • ci: release branches for security updates only ## why • Fewer PRs that are duplicated across release branches ## tests ## references • https://docs.renovatebot.com/configuration-options/#matchbasebranches runatlantis/atlantis