Skip to content

chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 in /cli/azd/extensions/azure.ai.models#7228

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/cli/azd/extensions/azure.ai.models/github.com/buger/jsonparser-1.1.2
Open

chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 in /cli/azd/extensions/azure.ai.models#7228
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/cli/azd/extensions/azure.ai.models/github.com/buger/jsonparser-1.1.2

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 20, 2026

Bumps github.com/buger/jsonparser from 1.1.1 to 1.1.2.

Release notes

Sourced from github.com/buger/jsonparser's releases.

v1.1.2

What's Changed

New Contributors

Full Changelog: buger/jsonparser@v1.1.1...v1.1.2

Commits
  • a69e7e0 Merge pull request #276 from dbarrosop/master
  • d3eacc0 fix: prevent panic on negative slice index in Delete with malformed JSON (GO-...
  • 61b32cf Merge pull request #241 from unxcepted/master
  • 2181e83 Merge pull request #244 from ScaleChamp/patch-2
  • 1510b51 Added latest versions of go to tests
  • 6fc2e48 fix: eachkey allocation
  • a6f867e Merge pull request #239 from AdamKorcz/cifuzz1
  • cbc01fd Fuzzing: Add CIFuzz
  • dc92d69 Merge pull request #228 from jonomacd/null-handling
  • 2d9d634 Merge pull request #231 from carsonip/fix-parseint-overflow-check
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump github.com/buger/jsonparser
4440e57 
Bumps [github.com/buger/jsonparser](https://github.com/buger/jsonparser) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/buger/jsonparser/releases)
- [Commits](buger/jsonparser@v1.1.1...v1.1.2)

---
updated-dependencies:
- dependency-name: github.com/buger/jsonparser
  dependency-version: 1.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies go Pull requests that update go code labels Mar 20, 2026
@dependabot dependabot bot requested a review from wbreza as a code owner March 20, 2026 20:10
@dependabot dependabot bot added the go Pull requests that update go code label Mar 20, 2026
@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported identify a customer issue label Mar 20, 2026
@microsoft-github-policy-service
Copy link
Contributor

microsoft-github-policy-service bot commented Mar 20, 2026

Thank you for your contribution @dependabot[bot]! We will review the pull request and get back to you soon.

wbreza
wbreza approved these changes Mar 20, 2026
View reviewed changes
Copy link
Contributor

@wbreza wbreza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Approve — Security Patch

jsonparser 1.1.1 → 1.1.2 (indirect dep in azure.ai.models extension)

Key Finding

🔴 Fixes GO-2026-4514 (CVSS 7.5) — malformed JSON can cause panic via negative slice index in Delete function, enabling DoS attacks.

Review Summary

  • Files: Only go.mod + go.sum changed (as expected)
  • CI: All checks passing
  • Breaking changes: None — same API surface
  • Bonus: Performance improvements (eliminated allocations in EachKey), parseInt overflow fix

Recommend merging promptly given the security fix.

Review performed with GitHub Copilot CLI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbreza wbreza wbreza approved these changes

@vhvb1989 vhvb1989 Awaiting requested review from vhvb1989 vhvb1989 is a code owner

@hemarina hemarina Awaiting requested review from hemarina hemarina is a code owner

@weikanglim weikanglim Awaiting requested review from weikanglim weikanglim is a code owner

@JeffreyCA JeffreyCA Awaiting requested review from JeffreyCA JeffreyCA is a code owner

@tg-msft tg-msft Awaiting requested review from tg-msft tg-msft is a code owner

@rajeshkamal5050 rajeshkamal5050 Awaiting requested review from rajeshkamal5050 rajeshkamal5050 is a code owner

@trangevi trangevi Awaiting requested review from trangevi trangevi is a code owner

@achauhan-scc achauhan-scc Awaiting requested review from achauhan-scc achauhan-scc is a code owner

@kingernupur kingernupur Awaiting requested review from kingernupur kingernupur is a code owner

@rabollin rabollin Awaiting requested review from rabollin rabollin is a code owner

@saanikaguptamicrosoft saanikaguptamicrosoft Awaiting requested review from saanikaguptamicrosoft saanikaguptamicrosoft is a code owner

Assignees

No one assigned

Labels

customer-reported identify a customer issue dependencies go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wbreza