Skip to content

chore(deps): bump golang.org/x/oauth2 from v0.13.0 to v0.28.0#288

Merged
lbajolet-hashicorp merged 1 commit intomainfrom
chore(deps)/update-oauth2
Apr 22, 2025
Merged

chore(deps): bump golang.org/x/oauth2 from v0.13.0 to v0.28.0#288
lbajolet-hashicorp merged 1 commit intomainfrom
chore(deps)/update-oauth2

Conversation

@tenthirtyam
Copy link
Copy Markdown
Collaborator

@tenthirtyam tenthirtyam commented Mar 31, 2025
edited
Loading

Description

Updates golang.org/x/oauth2 from v0.13.0 to v0.28.0 based on OSV reported vulnerability GO-2025-3488 in golang.org/x/oauth2@v0.13.0.

TL;DR: "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing."

Testing

packer-plugin-vmware on  chore(deps)/update-oauth2 via 🐹 v1.24.1 
➜ go get -u golang.org/x/oauth2
go: upgraded cloud.google.com/go/compute/metadata v0.2.3 => v0.3.0
go: upgraded golang.org/x/oauth2 v0.13.0 => v0.28.0

packer-plugin-vmware on  chore(deps)/update-oauth2 [!] via 🐹 v1.24.1 
➜ go mod tidy

packer-plugin-vmware on  chore(deps)/update-oauth2 [!] via 🐹 v1.24.1 
➜ make build                   

packer-plugin-vmware on  chore(deps)/update-oauth2 [!] via 🐹 v1.24.1 took 9.1s 
➜ make dev
packer plugins install --path packer-plugin-vmware "github.com/hashicorp/vmware"
Successfully installed plugin github.com/hashicorp/vmware from /Users/johnsonryan/Downloads/packer-plugin-vmware/packer-plugin-vmware to /Users/johnsonryan/.packer.d/plugins/github.com/hashicorp/vmware/packer-plugin-vmware_v1.1.1-dev_x5.0_darwin_amd64

packer-plugin-vmware on  chore(deps)/update-oauth2 [!] via 🐹 v1.24.1 took 5.6s 
➜ make test
?       github.com/hashicorp/packer-plugin-vmware       [no test files]
ok      github.com/hashicorp/packer-plugin-vmware/builder/vmware/common 7.391s
ok      github.com/hashicorp/packer-plugin-vmware/builder/vmware/iso    3.263s
ok      github.com/hashicorp/packer-plugin-vmware/builder/vmware/vmx    2.211s
?       github.com/hashicorp/packer-plugin-vmware/version       [no test files]

Reference

https://github.com/hashicorp/packer-plugin-vmware/security/code-scanning/66

@tenthirtyam tenthirtyam added dependencies Dependencies chore Chore labels Mar 31, 2025
@tenthirtyam tenthirtyam added this to the v1.1.1 milestone Mar 31, 2025
@tenthirtyam tenthirtyam self-assigned this Mar 31, 2025
@tenthirtyam tenthirtyam marked this pull request as ready for review March 31, 2025 15:46
@tenthirtyam tenthirtyam requested a review from a team as a code owner March 31, 2025 15:46
@tenthirtyam @lbajolet-hashicorp
chore(deps): bump golang.org/x/oauth2 from v0.13.0 to v0.28.0
ef05001 
Updates golang.org/x/oauth2 from v0.13.0 to v0.28.0 based on OSV reported vulnerability GO-2025-3488 in golang.org/x/oauth2@v0.13.0.

TL;DR: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Signed-off-by: Ryan Johnson <ryan.johnson@broadcom.com>
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the chore(deps)/update-oauth2 branch from 876c385 to ef05001 Compare April 22, 2025 18:31
lbajolet-hashicorp
lbajolet-hashicorp approved these changes Apr 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just rebased on top of main manually now, LGTM!

@lbajolet-hashicorp lbajolet-hashicorp merged commit e78f7d6 into main Apr 22, 2025
14 checks passed
@lbajolet-hashicorp lbajolet-hashicorp deleted the chore(deps)/update-oauth2 branch April 22, 2025 18:37
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 31, 2026

I'm going to lock this pull request because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 31, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@JenGoldstrich JenGoldstrich JenGoldstrich approved these changes

@lbajolet-hashicorp lbajolet-hashicorp lbajolet-hashicorp approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tenthirtyam tenthirtyam

Labels

chore Chore dependencies Dependencies

Projects

None yet

Milestone

v1.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tenthirtyam @JenGoldstrich @lbajolet-hashicorp