Skip to content

Fix CI lint failures (gosec G710) and bump dependencies#258

Merged
patrickdappollonio merged 1 commit into
masterfrom
bump-dependencies-fix-ci
Jul 15, 2026
Merged

Fix CI lint failures (gosec G710) and bump dependencies#258
patrickdappollonio merged 1 commit into
masterfrom
bump-dependencies-fix-ci

Conversation

@patrickdappollonio

@patrickdappollonio patrickdappollonio commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Why

The Testing push workflow uses golangci-lint@latest, and a recent golangci-lint release (2.12.x) added gosec rule G710: open redirect via taint analysis. This broke CI on master (since #249) and on every dependabot branch, which is why all the dependency PRs are blocked.

What

Lint/security fixes — G710 flagged three http.Redirect calls; two were legitimately exploitable (a request path starting with // yields a scheme-relative Location header, e.g. GET //evil.com/index.html → redirect to //evil.com/):

  • internal/middlewares/redir_indexes.go and internal/server/handlers.go: collapse duplicate leading slashes before redirecting so the target is always same-origin, then suppress the now-false-positive with justification.
  • internal/redirects/redirect.go: placeholder expansion (e.g. :splat) could also turn a local rule destination into //host; same leading-slash collapse applied. The redirect call itself is suppressed with justification since operator-configured rules may intentionally target external URLs.
  • Migrated gomodguardgomodguard_v2 (deprecation warning).

Dependency bumps — supersedes the blocked dependabot PRs #251, #252, #254, #255, #256, #257:

  • github.com/yuin/goldmark 1.8.2 → 1.8.4
  • golang.org/x/crypto 0.49.0 → 0.52.0 (+ x/sys, x/text via tidy)
  • github.com/go-chi/chi/v5 5.2.5 → 5.3.1
  • github.com/klauspost/compress 1.18.6 → 1.19.0
  • github.com/go-playground/validator/v10 10.30.2 → 10.30.3
  • actions/checkout v6 → v7 in all workflows

Verification

  • golangci-lint run (2.12.2, same as CI): 0 issues
  • go test ./...: all packages pass

🤖 Generated with Claude Code

golangci-lint's latest release added gosec rule G710 (open redirect via
taint analysis), which broke the "Testing push" workflow on master and
on every dependabot branch. Two of the three findings were legitimate:
a request path starting with "//" would produce a scheme-relative
Location header, redirecting to another host. Fix by collapsing
duplicate leading slashes before redirecting, and suppress the
remaining intentional case (operator-configured redirect rules may
target external URLs by design).

Also:
- Bump github.com/yuin/goldmark 1.8.2 -> 1.8.4
- Bump golang.org/x/crypto 0.49.0 -> 0.52.0
- Bump github.com/go-chi/chi/v5 5.2.5 -> 5.3.1
- Bump github.com/klauspost/compress 1.18.6 -> 1.19.0
- Bump github.com/go-playground/validator/v10 10.30.2 -> 10.30.3
- Bump actions/checkout v6 -> v7 in all workflows
- Migrate gomodguard -> gomodguard_v2 (deprecation warning)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@patrickdappollonio patrickdappollonio merged commit 3fa4e32 into master Jul 15, 2026
2 checks passed
@patrickdappollonio patrickdappollonio deleted the bump-dependencies-fix-ci branch July 15, 2026 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant