Skip to content

chore(deps): bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0#19473

Merged
rhacs-bot merged 1 commit intomasterfrom
dependabot/go_modules/github.com/russellhaering/goxmldsig-1.6.0
Mar 18, 2026
Merged

chore(deps): bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0#19473
rhacs-bot merged 1 commit intomasterfrom
dependabot/go_modules/github.com/russellhaering/goxmldsig-1.6.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 18, 2026
edited
Loading

Bumps github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0.

Release notes

Sourced from github.com/russellhaering/goxmldsig's releases.

v1.6.0

What's Changed

  • Security: Fix possible signature validation bypass caused by loop variable capture in validateSignature (GHSA-479m-364c-43vc)
  • Bump minimum Go version to 1.23
  • Bump github.com/beevik/etree to v1.6.0
  • Add fuzz tests for XML signature validation and canonicalization

Full Changelog: russellhaering/goxmldsig@v1.5.0...v1.6.0

Commits
  • 878c8c6 Apply go fix ./...
  • db3d1e3 Fix loop variable capture bug in validateSignature
  • 4f576b8 Bump dependencies
  • 79c29ee Rename FuzzValidate to FuzzValidateXML to avoid name collision
  • ac7bf74 Add fuzz tests for XML signature validation and canonicalization
  • a5805df Bump github/codeql-action from 2.13.4 to 3.28.17 (#155)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file labels Mar 18, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 18, 2026 05:54
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ci-all-qa-tests Tells CI to run all API tests (not just BAT). auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails labels Mar 18, 2026
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 18, 2026
edited
Loading

Images are ready for the commit at 4a144eb.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-361-g4a144ebadd.

@tommartensen
Copy link
Contributor

tommartensen commented Mar 18, 2026

@dependabot rebase

@dependabot
chore(deps): bump github.com/russellhaering/goxmldsig
4a144eb 
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/russellhaering/goxmldsig/releases)
- [Commits](russellhaering/goxmldsig@v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/russellhaering/goxmldsig
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/russellhaering/goxmldsig-1.6.0 branch from a804de3 to 4a144eb Compare March 18, 2026 09:17
@rhacs-bot rhacs-bot enabled auto-merge (squash) March 18, 2026 12:01
@rhacs-bot rhacs-bot merged commit 6b9ea66 into master Mar 18, 2026
88 checks passed
@rhacs-bot rhacs-bot deleted the dependabot/go_modules/github.com/russellhaering/goxmldsig-1.6.0 branch March 18, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhacs-bot rhacs-bot rhacs-bot approved these changes

Assignees

No one assigned

Labels

auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhacs-bot @tommartensen