chore(deps): update module github.com/sigstore/fulcio to v1.8.3 [security]

[ocmbot]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/sigstore/fulcio	indirect	minor	v1.7.1 → v1.8.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-66506

Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details
See identity.extractIssuerURL

Impact
Excessive memory allocation

---

Release Notes

sigstore/fulcio (github.com/sigstore/fulcio)

v1.8.3

Compare Source

Vulnerability Fixes

• GHSA-f83f-xpx7-ffpw; prevents OOM condition due to malformed OIDC token (#​2233)

Features

• feat: Add support for skipping email_verified claim requirement per issuer (#​2220)
• add meta-issuer circleci block (#​2215)
• add circleci info to fulcio (#​2192)

Testing

• Add basic E2E tests (#​2230)

v1.8.2

Compare Source

Testing

• make email address in test cases rfc822 conformant (#​2205)

v1.8.1

Compare Source

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Compare Source

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#​2111)
• fix: vault for enterprise expects only the key name (#​2117)
• fix(config): respect cacert on oidc-issuers (#​2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#​2046)

Features

• feat: adds cert loading and key-match validation. (#​2173)
• expose gcp kms retry and timeout options (#​2132)
• server: Use warning log level for client errors (#​2147)
• Add workflow to periodically validate OIDC issuers (#​2188)
• Add Chainguard issuer (#​2078)
• Add logging for template error (#​2194)
• Add extension for deployment environment (#​2190)

Removal

• Remove cmd/create_tink_keyset (#​2096)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ocmbot]

ℹ️ Artifact update notice

File name: kubernetes/controller/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/sigstore/sigstore	v1.9.6-0.20251007084510-03d481d3b6fc -> v1.10.0
github.com/spf13/cobra	v1.10.1 -> v1.10.2

[frewilhelm]

go mod why -m github.com/sigstore/fulcio
# github.com/sigstore/fulcio
ocm.software/open-component-model/kubernetes/controller/internal/controller/resource
ocm.software/ocm/api/ocm/compdesc
ocm.software/ocm/api/tech/signing/handlers
ocm.software/ocm/api/tech/signing/handlers/sigstore
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/fulcio/pkg/api

github.com/sigstore/fulcio is introduced by the resource controller + ocm lib v1. Since the controllers are still under active development, no official release is available, and we plan to finish the migration of the resource controller this year, we could argue to ignore this dependency bump for now.

[frewilhelm]

blocked as we need to fix this in ocm v1 first

[frewilhelm]

superseded by #1432