Skip to content

chore(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.6#2009

Open
dependabot[bot] wants to merge 3 commits intomainfrom
dependabot/go_modules/github.com/hashicorp/go-getter-1.8.6
Open

chore(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.6#2009
dependabot[bot] wants to merge 3 commits intomainfrom
dependabot/go_modules/github.com/hashicorp/go-getter-1.8.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 10, 2026
edited
Loading

Bumps github.com/hashicorp/go-getter from 1.7.9 to 1.8.6.

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.6

No release notes provided.

v1.8.5

What's Changed

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

v1.8.4

What's Changed

... (truncated)

Commits
  • d23bff4 Merge pull request #608 from hashicorp/dependabot/go_modules/go-security-9c51...
  • 2c4aba8 Merge pull request #613 from hashicorp/pull/v1.8.6
  • fe61ed9 Merge pull request #611 from hashicorp/SECVULN-41053
  • d533656 Merge pull request #606 from hashicorp/pull/CRT
  • 388f23d Additional test for local branch and head
  • b7ceaa5 harden checkout ref handling and added regression tests
  • 769cc14 Release version bump up
  • 6086a6a Review Comments Addressed
  • e02063c Revert "SECVULN Fix for git checkout argument injection enables arbitrary fil...
  • c93084d [chore] : Bump google.golang.org/grpc
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 10, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 10, 2026 15:15
@dependabot dependabot Bot requested review from songgaoye and thomas-nguy and removed request for a team April 10, 2026 15:15
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 10, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 10, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.46.0 ⏵ v0.49.074 +1100100100100
Updatedgolang/​google.golang.org/​grpc@​v1.78.0 ⏵ v1.79.375 +1100 +75100100100
Updatedgolang/​google.golang.org/​genproto/​googleapis/​api@​v0.0.0-20251029180050-ab9386a59fda ⏵ v0.0.0-20260203192932-546029d2fa2080100100100100

View full report

@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/hashicorp/go-getter-1.8.6 branch from dffc993 to 2475283 Compare April 21, 2026 08:13
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/hashicorp/go-getter-1.8.6 branch from 2475283 to 1504b7b Compare April 30, 2026 03:06
@dependabot
chore(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.6
f5b47f7 
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.9 to 1.8.6.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Commits](hashicorp/go-getter@v1.7.9...v1.8.6)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-version: 1.8.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/hashicorp/go-getter-1.8.6 branch from 1504b7b to f5b47f7 Compare May 1, 2026 01:17
JayT106 and others added 2 commits May 1, 2026 10:02
@JayT106 @claude
chore: upgrade otel to v1.43.0 and update nixpkgs to go1.25.8
9cdb92a 
Two fixes:
1. otel/sdk v1.42.0 has GHSA-hfvc-g4fc-pqhx (PATH hijacking via kenv).
   Upgraded all otel packages to v1.43.0 which contains the fix.

2. go-getter v1.8.6 requires go 1.25.8. The pinned nixpkgs (Feb 2026)
   only has go 1.25.6, causing the Nix build to fail when GOTOOLCHAIN=auto
   tries to download go1.25.8. Updated flake.lock to nixos-25.11 @ 755f5aa
   (Apr 2026) which ships go 1.25.8.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JayT106
Merge branch 'main' into dependabot/go_modules/github.com/hashicorp/g…
df1d996 
…o-getter-1.8.6
@JayT106 JayT106 enabled auto-merge May 1, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomas-nguy thomas-nguy Awaiting requested review from thomas-nguy thomas-nguy is a code owner automatically assigned from crypto-org-chain/cronos-dev

@songgaoye songgaoye Awaiting requested review from songgaoye songgaoye is a code owner automatically assigned from crypto-org-chain/cronos-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JayT106