chore: update go.mod to fix vuln

sonupreetam · sonupreetam · commit dd8ea4ef5494 · 2026-03-25T04:02:38.000-04:00
Signed-off-by: Sonu Preetam &lt;spreetam@redhat.com&gt;
diff --git a/cmd/sync-content/cleanup_test.go b/cmd/sync-content/cleanup_test.go
@@ -15,8 +15,12 @@ func TestCleanOrphanedFiles(t *testing.T) {
 	otherFile := filepath.Join(dir, "content", "docs", "projects", "complyscribe", "_index.md")
 
 	for _, f := range []string{staleFile, keptFile, otherFile} {
-		os.MkdirAll(filepath.Dir(f), 0o755)
-		os.WriteFile(f, []byte("test"), 0o644)
+		if err := os.MkdirAll(filepath.Dir(f), 0o755); err != nil {
+			t.Fatalf("MkdirAll: %v", err)
+		}
+		if err := os.WriteFile(f, []byte("test"), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 	}
 
 	oldManifest := map[string]bool{
@@ -51,8 +55,12 @@ func TestCleanOrphanedFiles_PrunesEmptyDirs(t *testing.T) {
 
 	staleDir := filepath.Join(dir, "content", "docs", "projects", "removed-repo")
 	staleFile := filepath.Join(staleDir, "_index.md")
-	os.MkdirAll(staleDir, 0o755)
-	os.WriteFile(staleFile, []byte("test"), 0o644)
+	if err := os.MkdirAll(staleDir, 0o755); err != nil {
+		t.Fatalf("MkdirAll: %v", err)
+	}
+	if err := os.WriteFile(staleFile, []byte("test"), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	oldManifest := map[string]bool{
 		"content/docs/projects/removed-repo/_index.md": true,
@@ -73,7 +81,9 @@ func TestCleanOrphanedFiles_TraversalBlocked(t *testing.T) {
 
 	outsideDir := t.TempDir()
 	outsideFile := filepath.Join(outsideDir, "should-survive.txt")
-	os.WriteFile(outsideFile, []byte("protected"), 0o644)
+	if err := os.WriteFile(outsideFile, []byte("protected"), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	relTraversal, err := filepath.Rel(dir, outsideFile)
 	if err != nil {
@@ -98,8 +108,12 @@ func TestCleanOrphanedFiles_LegitimateRemoval(t *testing.T) {
 	dir := t.TempDir()
 
 	legitFile := filepath.Join(dir, "content", "docs", "projects", "old-repo", "_index.md")
-	os.MkdirAll(filepath.Dir(legitFile), 0o755)
-	os.WriteFile(legitFile, []byte("stale"), 0o644)
+	if err := os.MkdirAll(filepath.Dir(legitFile), 0o755); err != nil {
+		t.Fatalf("MkdirAll: %v", err)
+	}
+	if err := os.WriteFile(legitFile, []byte("stale"), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	oldManifest := map[string]bool{
 		"content/docs/projects/old-repo/_index.md": true,
diff --git a/cmd/sync-content/config_test.go b/cmd/sync-content/config_test.go
@@ -12,15 +12,17 @@ func TestLoadConfig(t *testing.T) {
 	t.Run("valid config", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "sync-config.yaml")
-		os.WriteFile(path, []byte(`
+		if err := os.WriteFile(path, []byte(`
 defaults:
   branch: main
 sources:
   - repo: org/repo1
     files:
       - src: README.md
         dest: content/docs/projects/repo1/_index.md
-`), 0o644)
+`), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		cfg, err := loadConfig(path)
 		if err != nil {
@@ -43,13 +45,15 @@ sources:
 	t.Run("default branch applied", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "cfg.yaml")
-		os.WriteFile(path, []byte(`
+		if err := os.WriteFile(path, []byte(`
 sources:
   - repo: org/repo1
     files:
       - src: README.md
         dest: out/README.md
-`), 0o644)
+`), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		cfg, err := loadConfig(path)
 		if err != nil {
@@ -63,7 +67,9 @@ sources:
 	t.Run("malformed YAML", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "bad.yaml")
-		os.WriteFile(path, []byte(`{{{not yaml`), 0o644)
+		if err := os.WriteFile(path, []byte(`{{{not yaml`), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		_, err := loadConfig(path)
 		if err == nil {
@@ -81,12 +87,14 @@ sources:
 	t.Run("missing repo field", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "cfg.yaml")
-		os.WriteFile(path, []byte(`
+		if err := os.WriteFile(path, []byte(`
 sources:
   - files:
       - src: README.md
         dest: out/README.md
-`), 0o644)
+`), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		_, err := loadConfig(path)
 		if err == nil {
@@ -100,12 +108,14 @@ sources:
 	t.Run("missing src field", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "cfg.yaml")
-		os.WriteFile(path, []byte(`
+		if err := os.WriteFile(path, []byte(`
 sources:
   - repo: org/repo1
     files:
       - dest: out/README.md
-`), 0o644)
+`), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		_, err := loadConfig(path)
 		if err == nil {
diff --git a/cmd/sync-content/github.go b/cmd/sync-content/github.go
@@ -89,13 +89,13 @@ func (c *apiClient) getJSON(ctx context.Context, url string, dst any) error {
 		if resp.StatusCode == http.StatusOK {
 			limited := io.LimitReader(resp.Body, maxResponseBytes)
 			err = json.NewDecoder(limited).Decode(dst)
-			io.Copy(io.Discard, resp.Body)
-			resp.Body.Close()
+			_, _ = io.Copy(io.Discard, resp.Body)
+			_ = resp.Body.Close()
 			return err
 		}
 
 		body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
-		resp.Body.Close()
+		_ = resp.Body.Close()
 		lastErr = fmt.Errorf("GET %s: %d %s", url, resp.StatusCode, body)
 
 		if !isRateLimited(resp) || attempt == maxRetries {
@@ -140,7 +140,14 @@ func retryWait(resp *http.Response, attempt int) time.Duration {
 			}
 		}
 	}
-	return time.Duration(1<<uint(attempt)) * time.Second
+	shift := attempt
+	if shift < 0 {
+		shift = 0
+	}
+	if shift > 5 {
+		shift = 5
+	}
+	return time.Duration(1<<shift) * time.Second
 }
 
 // appendRef appends a ?ref= query parameter to a URL when ref is non-empty,
diff --git a/cmd/sync-content/github_test.go b/cmd/sync-content/github_test.go
@@ -14,15 +14,15 @@ func TestListDirMD(t *testing.T) {
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/repos/org/repo/contents/docs", func(w http.ResponseWriter, r *http.Request) {
-		json.NewEncoder(w).Encode([]DirEntry{
+		_ = json.NewEncoder(w).Encode([]DirEntry{
 			{Name: "guide.md", Path: "docs/guide.md", Type: "file"},
 			{Name: "image.png", Path: "docs/image.png", Type: "file"},
 			{Name: "sub", Path: "docs/sub", Type: "dir"},
 		})
 	})
 
 	mux.HandleFunc("/repos/org/repo/contents/docs/sub", func(w http.ResponseWriter, r *http.Request) {
-		json.NewEncoder(w).Encode([]DirEntry{
+		_ = json.NewEncoder(w).Encode([]DirEntry{
 			{Name: "nested.md", Path: "docs/sub/nested.md", Type: "file"},
 			{Name: "data.json", Path: "docs/sub/data.json", Type: "file"},
 		})
@@ -64,7 +64,7 @@ func TestListDirMD_DepthLimit(t *testing.T) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/repos/org/repo/contents/", func(w http.ResponseWriter, r *http.Request) {
 		callCount++
-		json.NewEncoder(w).Encode([]DirEntry{
+		_ = json.NewEncoder(w).Encode([]DirEntry{
 			{Name: "file.md", Path: r.URL.Path[len("/repos/org/repo/contents/"):] + "/file.md", Type: "file"},
 			{Name: "deeper", Path: r.URL.Path[len("/repos/org/repo/contents/"):] + "/deeper", Type: "dir"},
 		})
@@ -134,7 +134,7 @@ func TestGetREADME_WithRef(t *testing.T) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/repos/org/repo/readme", func(w http.ResponseWriter, r *http.Request) {
 		receivedRef = r.URL.Query().Get("ref")
-		json.NewEncoder(w).Encode(FileResponse{
+		_ = json.NewEncoder(w).Encode(FileResponse{
 			Content:  "VEVTVA==",
 			Encoding: "base64",
 			SHA:      "sha123",
@@ -171,7 +171,7 @@ func TestListDirMD_WithRef(t *testing.T) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/repos/org/repo/contents/docs", func(w http.ResponseWriter, r *http.Request) {
 		receivedRef = r.URL.Query().Get("ref")
-		json.NewEncoder(w).Encode([]DirEntry{
+		_ = json.NewEncoder(w).Encode([]DirEntry{
 			{Name: "guide.md", Path: "docs/guide.md", Type: "file"},
 		})
 	})
@@ -206,7 +206,7 @@ func TestFetchPeribolosRepos(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		mux := http.NewServeMux()
 		mux.HandleFunc("/repos/myorg/.github/contents/peribolos.yaml", func(w http.ResponseWriter, r *http.Request) {
-			json.NewEncoder(w).Encode(FileResponse{
+			_ = json.NewEncoder(w).Encode(FileResponse{
 				Content:  b64(peribolosYAML),
 				Encoding: "base64",
 			})
@@ -234,7 +234,7 @@ func TestFetchPeribolosRepos(t *testing.T) {
 	t.Run("missing org in peribolos", func(t *testing.T) {
 		mux := http.NewServeMux()
 		mux.HandleFunc("/repos/otherorg/.github/contents/peribolos.yaml", func(w http.ResponseWriter, r *http.Request) {
-			json.NewEncoder(w).Encode(FileResponse{
+			_ = json.NewEncoder(w).Encode(FileResponse{
 				Content:  b64(peribolosYAML),
 				Encoding: "base64",
 			})
@@ -254,7 +254,7 @@ func TestFetchPeribolosRepos(t *testing.T) {
 		mux := http.NewServeMux()
 		mux.HandleFunc("/repos/noorg/.github/contents/peribolos.yaml", func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusNotFound)
-			w.Write([]byte(`{"message":"Not Found"}`))
+			_, _ = w.Write([]byte(`{"message":"Not Found"}`))
 		})
 
 		server := httptest.NewServer(mux)
@@ -271,7 +271,7 @@ func TestFetchPeribolosRepos(t *testing.T) {
 func TestGetRepoMetadata(t *testing.T) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/repos/org/myrepo", func(w http.ResponseWriter, r *http.Request) {
-		json.NewEncoder(w).Encode(Repo{
+		_ = json.NewEncoder(w).Encode(Repo{
 			Name:        "myrepo",
 			FullName:    "org/myrepo",
 			Description: "A test repo",
@@ -305,7 +305,7 @@ func TestContextCancellationDuringRetry(t *testing.T) {
 		callCount++
 		w.Header().Set("Retry-After", "60")
 		w.WriteHeader(http.StatusTooManyRequests)
-		w.Write([]byte(`{"message":"rate limited"}`))
+		_, _ = w.Write([]byte(`{"message":"rate limited"}`))
 	})
 	server := httptest.NewServer(mux)
 	defer server.Close()
diff --git a/cmd/sync-content/lock.go b/cmd/sync-content/lock.go
@@ -58,7 +58,7 @@ func writeLock(path string, lock *ContentLock) error {
 	if err != nil {
 		return fmt.Errorf("marshaling lock: %w", err)
 	}
-	return os.WriteFile(path, append(data, '\n'), 0o644)
+	return os.WriteFile(path, append(data, '\n'), 0o600)
 }
 
 // sha returns the approved branch SHA for a repo, or "" if not locked.
diff --git a/cmd/sync-content/lock_test.go b/cmd/sync-content/lock_test.go
@@ -51,7 +51,9 @@ func TestReadLock_MissingFile(t *testing.T) {
 func TestReadLock_InvalidJSON(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "bad.json")
-	os.WriteFile(path, []byte("not json"), 0o644)
+	if err := os.WriteFile(path, []byte("not json"), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	_, err := readLock(path)
 	if err == nil {
@@ -106,7 +108,9 @@ func TestWriteLock_DeterministicOrder(t *testing.T) {
 func TestReadLock_NilReposInitialized(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "lock.json")
-	os.WriteFile(path, []byte(`{}`), 0o644)
+	if err := os.WriteFile(path, []byte(`{}`), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	lock, err := readLock(path)
 	if err != nil {
diff --git a/cmd/sync-content/manifest.go b/cmd/sync-content/manifest.go
@@ -131,5 +131,5 @@ func writeManifest(outputDir string, files []string) error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(outputDir, manifestFile), append(data, '\n'), 0o644)
+	return os.WriteFile(filepath.Join(outputDir, manifestFile), append(data, '\n'), 0o600)
 }
diff --git a/cmd/sync-content/manifest_test.go b/cmd/sync-content/manifest_test.go
@@ -44,7 +44,9 @@ func TestReadFrontmatterParams(t *testing.T) {
 	t.Run("reads params from generated frontmatter", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "_index.md")
-		os.WriteFile(path, []byte("---\ntitle: \"test\"\nparams:\n  source_sha: \"abc123\"\n  readme_sha: \"def456\"\n---\n"), 0o644)
+		if err := os.WriteFile(path, []byte("---\ntitle: \"test\"\nparams:\n  source_sha: \"abc123\"\n  readme_sha: \"def456\"\n---\n"), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		params := readFrontmatterParams(path)
 		if params == nil {
@@ -61,7 +63,9 @@ func TestReadFrontmatterParams(t *testing.T) {
 	t.Run("does not match similarly-prefixed keys", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "_index.md")
-		os.WriteFile(path, []byte("---\ntitle: \"test\"\nparams:\n  source_sha_v2: \"wrong\"\n  source_sha: \"correct\"\n---\n"), 0o644)
+		if err := os.WriteFile(path, []byte("---\ntitle: \"test\"\nparams:\n  source_sha_v2: \"wrong\"\n  source_sha: \"correct\"\n---\n"), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		params := readFrontmatterParams(path)
 		if v, _ := params["source_sha"].(string); v != "correct" {
@@ -82,7 +86,9 @@ func TestReadFrontmatterParams(t *testing.T) {
 	t.Run("no frontmatter returns nil", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "plain.md")
-		os.WriteFile(path, []byte("# No frontmatter\nBody."), 0o644)
+		if err := os.WriteFile(path, []byte("# No frontmatter\nBody."), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		params := readFrontmatterParams(path)
 		if params != nil {
@@ -93,7 +99,9 @@ func TestReadFrontmatterParams(t *testing.T) {
 	t.Run("no params section returns nil", func(t *testing.T) {
 		dir := t.TempDir()
 		path := filepath.Join(dir, "no-params.md")
-		os.WriteFile(path, []byte("---\ntitle: test\n---\nBody."), 0o644)
+		if err := os.WriteFile(path, []byte("---\ntitle: test\n---\nBody."), 0o600); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
 
 		params := readFrontmatterParams(path)
 		if params != nil {
@@ -105,10 +113,14 @@ func TestReadFrontmatterParams(t *testing.T) {
 func TestReadExistingState_UsesYAMLParsing(t *testing.T) {
 	dir := t.TempDir()
 	repoDir := filepath.Join(dir, "content", "docs", "projects", "test-repo")
-	os.MkdirAll(repoDir, 0o755)
-	os.WriteFile(filepath.Join(repoDir, "_index.md"), []byte(
+	if err := os.MkdirAll(repoDir, 0o755); err != nil {
+		t.Fatalf("MkdirAll: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(repoDir, "_index.md"), []byte(
 		"---\ntitle: \"test-repo\"\nparams:\n  source_sha: \"branch-sha-123\"\n  readme_sha: \"readme-sha-456\"\n---\n",
-	), 0o644)
+	), 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
 
 	state := readExistingState(dir)
 	if len(state) != 1 {
diff --git a/cmd/sync-content/sync.go b/cmd/sync-content/sync.go
diff --git a/cmd/sync-content/sync_test.go b/cmd/sync-content/sync_test.go
diff --git a/cmd/sync-content/transform.go b/cmd/sync-content/transform.go
diff --git a/go.mod b/go.mod

Original file line number	Diff line number	Diff line change
`@@ -89,13 +89,13 @@ func (c *apiClient) getJSON(ctx context.Context, url string, dst any) error {`
`89`	`89`	`if resp.StatusCode == http.StatusOK {`
`90`	`90`	`limited := io.LimitReader(resp.Body, maxResponseBytes)`
`91`	`91`	`err = json.NewDecoder(limited).Decode(dst)`
`92`		`- io.Copy(io.Discard, resp.Body)`
`93`		`- resp.Body.Close()`
	`92`	`+ _, _ = io.Copy(io.Discard, resp.Body)`
	`93`	`+ _ = resp.Body.Close()`
`94`	`94`	`return err`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))`
`98`		`- resp.Body.Close()`
	`98`	`+ _ = resp.Body.Close()`
`99`	`99`	`lastErr = fmt.Errorf("GET %s: %d %s", url, resp.StatusCode, body)`
`100`	`100`
`101`	`101`	`if !isRateLimited(resp) \|\| attempt == maxRetries {`
`@@ -140,7 +140,14 @@ func retryWait(resp *http.Response, attempt int) time.Duration {`
`140`	`140`	`}`
`141`	`141`	`}`
`142`	`142`	`}`
`143`		`- return time.Duration(1<<uint(attempt)) * time.Second`
	`143`	`+ shift := attempt`
	`144`	`+ if shift < 0 {`
	`145`	`+ shift = 0`
	`146`	`+ }`
	`147`	`+ if shift > 5 {`
	`148`	`+ shift = 5`
	`149`	`+ }`
	`150`	`+ return time.Duration(1<<shift) * time.Second`
`144`	`151`	`}`
`145`	`152`
`146`	`153`	`// appendRef appends a ?ref= query parameter to a URL when ref is non-empty,`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func writeLock(path string, lock *ContentLock) error {`
`58`	`58`	`if err != nil {`
`59`	`59`	`return fmt.Errorf("marshaling lock: %w", err)`
`60`	`60`	`}`
`61`		`- return os.WriteFile(path, append(data, '\n'), 0o644)`
	`61`	`+ return os.WriteFile(path, append(data, '\n'), 0o600)`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`// sha returns the approved branch SHA for a repo, or "" if not locked.`
Original file line number	Diff line number	Diff line change
`@@ -131,5 +131,5 @@ func writeManifest(outputDir string, files []string) error {`
`131`	`131`	`if err != nil {`
`132`	`132`	`return err`
`133`	`133`	`}`
`134`		`- return os.WriteFile(filepath.Join(outputDir, manifestFile), append(data, '\n'), 0o644)`
	`134`	`+ return os.WriteFile(filepath.Join(outputDir, manifestFile), append(data, '\n'), 0o600)`
`135`	`135`	`}`